Technical Tip: Configure FortiGate FSSO TSAgent with FortiAuthenticator as the Collector Agent

Description

This article describes how to configure FortiGate FSSO TSAgent with FortiAuthenticator as the Collector Agent.

Scope

Components:

• FortiGate (FGT for short) – uses the FSSO information.
• FortiAuthenticator (FAC for short) – FSSO Collector Agent.
• Windows AD – LDAP server and TSAgent.
• The term CA used in this article will be the acronym for Collector Agent in the context of FSSO Collector Agent.

Solution

How this works is that FortiAuthenticator will be the FSSO Collector Agent that connects to FortiGate. The TSAgent or DC Agent installed on the Windows CA will be sending the user logon information to the FortiAuthenticator FSSO Collector Agent. The FAC-CA will then send this login information to FortiGate.

Configuring the Windows AD (installing TSAgent – assuming that LDAP is already configured):

1. Download the TSAgent from support.fortinet.com.
   
   

2. After installing the application on the Windows AD, it should look like this. Refer to the screenshot to configure the necessary information and then select Apply:
   
   

3. Below is an example of the LDAP user database going to be referred to:

Configure the FortiAuthenticator:

1. Ensure the interface that connects to the Windows AD and FortiGate has the following services enabled. Ensure FortiAuthenticator has the correct Static Routes configured and can ping both the FortiGate and Windows AD:

2. After, go to Fortinet SSO Methods -> SSO -> General.
1. Under FortiGate, turn on Enable Authentication and create the Secret Key. It will be necessary when configuring the CA in the FortiGate.
2. Under Fortinet Single Sign-On (FSSO), turn on Enable DC/TS Agent Clients.
3. Leave the rest of the settings as the default options.
   
   

3. To check whether it is successful or not, go to Monitor -> SSO -> DC/TS Agents. It should be possible to see the TS Agent over here; it should appear automatically. If nothing appears there, try turning off the Windows firewall on the AD and restarting Windows.
   
   

To view the SSO login sessions of logged-on users, simply go to Monitor -> SSO -> SSO Sessions.

4. Next, it will be necessary to add the LDAP server on FortiAuthenticator if it is desirable to limit the number of groups made visible to FortiGate. Go to Authentication -> Remote Auth. Servers -> LDAP -> Create New.

5. To filter the groups that are to be made visible to FortiGate, go to Fortinet SSO Methods -> SSO -> FortiGate Filtering. Here, it is possible to use the Global Pre-filter or create a new filter. If FSSO is being managed for multiple FortiGates, it is advised to create a new filter because it will then be possible to specify which groups to make visible to each FortiGate.
   
   The global filter will apply to all FortiGates that use this FortiAuthenticator as an FSSO Collector Agent. Ensure 'Forward FSSO information for users from the following subset of users/groups/containers only' is Enabled. Select Import from LDAP Server to select the LDAP user groups desired to make visible to the FortiGate.
   

Configure the FortiGate:

1. Here in FortiGate, it will be necessary to add the FAC-CA for the FSSO information. Go to Security Fabric -> External Connectors -> Create New and select FSSO Agent on Windows AD. Follow the directions shown in the screenshot below.
   After finishing configuration, select Apply & Refresh and wait for the FortiGate status to change to Connected. Select View for Users or Groups to show the users or groups that are synced and seen by the FortiGate.
   
   

2. It is possible to create an FSSO user group as shown here and then use these FSSO user groups in firewall policies etc. for access control purposes.