The following snippets summarize the FortiSASE Secure Internet Access (SIA) agentless secure web gateway deployment, which is also known as the FortiSASE Secure Web Gateway (SWG) deployment. To view the complete guide, go to SIA Agentless SWG Deployment Guide.
FortiSASE Secure Web Gateway Deployment
FortiSASE secure Internet access (SIA) extends an organization’s security perimeter that a next generation firewall typically achieves to remote users by enforcing common security policy for Intrusion Prevention Systems (IPS) and Application Control, web and DNS filtering, and antimalware, sandboxing, antibotnet/command and control (C&C).
SIA for agentless remote users involves setting up a web browser, or of a browser-based device using a proxy autoconfiguration (PAC) file to use the FortiSASE SWG service as an explicit web proxy. The web browser will redirect HTTP and HTTPS traffic to the SWG, which secures user web traffic by implementing SWG security policies. All other non-web traffic will bypass FortiSASE and will be forwarded to the Internet directly.
Agentless remote user authentication can be achieved by configuring the authentication source as either Active Directory / LDAP or RADIUS or as a SAML Identity Provider (SAML IdP).
Initial configuration of the proxy settings for web browsers can be automated using Windows Group Policy Objects (GPOs) or Microsoft System Center Configuration Manager (SCCM).
A typical topology for deploying this example design is as follows:
This outlines the major steps to deploy this solution. Go to Deployment procedures for detailed configuration steps:
- Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed. See Provisioning your FortiSASE instance.
- Configure users. See Configuring SSO SAML users and Configuring RADIUS users.
- Configure Secure Web Gateway policies to apply desired scanning and filtering for your users. See Configuring security profiles and SWG policies.
- Download the proxy autoconfiguration (PAC) file from the FortiSASE portal. Customize the file to exclude SSL VPN gateway and internal corporate networks. Host the custom PAC file on an externally accessible server. See Customizing the PAC file.
- Install the FortiSASE CA certificate on endpoints using steps that are specific to each operating system. See Installing the FortiSASE CA certificate on endpoints.
- Configure proxy settings on endpoints to point to the PAC file. See Configuring proxy settings on endpoints.
- (Optional) Configure the FortiSASE SWG Chrome extension for managed Chrome browsers and Chromebook support. See (Optional) Installing and configuring the SWG Chrome extension.
- Test connections to the Internet on a SWG user device. See Testing SWG user connections to the Internet.
For more information, go to SIA Agentless SWG Deployment Guide.
