|
Scope
|
FortiGate ('FGT' for short) uses the FSSO information, FortiAuthenticator ('FAC' for short), FSSO Collector Agent, Windows AD, LDAP server, and TSAgent. The term CA used in this article will be the acronym for Collector Agent in the context of FSSO Collector Agent.
|
|
Solution
|
How this works is that FortiAuthenticator will be the FSSO Collector Agent that connects to FortiGate. The TSAgent or DC Agent installed on the Windows CA will be sending the user logon information to the FortiAuthenticator FSSO Collector Agent. The FAC-CA will then send this login information to FortiGate.
Configuring the Windows AD (installing TSAgent – assuming that LDAP is already configured):
- Download the TSAgent from support.fortinet.com.
- After installing the application on the Windows AD, it should look like this. By default, the dynamic port range in some Windows versions was 1024-5000 for both TCP and UDP. It is possible to change the value of start, after the change restart of the TS Agent is required. Refer to the screenshot to configure the necessary information and then select Apply:
- Below is an example of the LDAP user database that will be referred to, config stored as registry records (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\TSAgent):
Configure the FortiAuthenticator:
- Ensure the interface that connects to the Windows AD and FortiGate has the following services enabled. Ensure FortiAuthenticator has the correct Static Routes configured and can ping both the FortiGate and Windows AD:
- After, go to Fortinet SSO Methods -> SSO -> General.
- Under FortiGate, turn on Enable Authentication and create the Secret Key. It will be necessary when configuring the CA in the FortiGate.
- Under Fortinet Single Sign-On (FSSO), turn on Enable DC/TS Agent Clients.
- Leave the rest of the settings as the default options.
-
To check whether it is successful or not, go to Monitor -> SSO -> DC/TS Agents. It should be possible to see the TS Agent over here; it should appear automatically. If nothing appears there, try turning off the Windows firewall on the AD and restarting Windows.
To view the SSO login sessions of logged-on users, simply go to Monitor -> SSO -> SSO Sessions.
-
Next, it will be necessary to add the LDAP server on FortiAuthenticator if it is desirable to limit the number of groups made visible to FortiGate. Go to Authentication -> Remote Auth. Servers -> LDAP -> Create New.
- To filter the groups that are to be made visible to FortiGate, go to Fortinet SSO Methods -> SSO -> FortiGate Filtering. Here, it is possible to use the Global Pre-filter or create a new filter. If FSSO is being managed for multiple FortiGates, it is advised to create a new filter because it will then be possible to specify which groups to make visible to each FortiGate.
The global filter will apply to all FortiGates that use this FortiAuthenticator as an FSSO Collector Agent. Ensure 'Forward FSSO information for users from the following subset of users/groups/containers only' is enabled. Select Import from LDAP Server to select the LDAP user groups desired to make visible to the FortiGate.
Configure the FortiGate:
- Here in FortiGate, it will be necessary to add the FAC-CA for the FSSO information. Go to Security Fabric -> External Connectors -> Create New and select FSSO Agent on Windows AD. Follow the directions shown in the screenshot below.
After finishing configuration, select Apply & Refresh and wait for the FortiGate status to change to Connected. Select View for Users or Groups to show the users or groups that are synced and seen by the FortiGate.
-
It is possible to create an FSSO user group as shown here and then use these FSSO user groups in firewall policies, etc., for access control purposes.
Related article:
Technical Tip: How to setup TS-Agent configuration
|
