| Description | This article describes the steps involved in FortiGate-VM Cloud Deployment on Azure for WVD Environments. |
| Scope | FortiGate Cloud, Azure. |
| Solution |
This article explores a case where the user wants to assign identity-based / user-based policies for outbound traffic with respective Web Filter / App Ctrl / IPS / AV profiles using a FortiGate VM. Since there are 2 Windows ADs (Which can be one or multiple for fault tolerance), users should connect and authenticate using their domain credentials and should be restricted to specific filtering policies. Overview of Deployment Steps: 1) Deploy FortiGate-VM on Azure using the preferred method, such as BYOL, PAYG, ARM Templates etc. 2) Azure Configuration – UDR, NSG etc. 3) FortiGate configuration – Windows AD (LDAP) integration, profile and policy design, Fortinet SSO Fabric Connector. 4) Install Fortinet FSSO_Agent on the Windows AD, followed by the DC_Agent. 5) Install Fortinet TSAgent on the WVD Server. 6) Configure TSAgent, FSSO_Agent and FortiGate for Fortinet Single-Sign-On. Deployment:
Phase 1: New FortiGate NGFW implementation Create a new VM instance on Azure using the preferred method. In the example image below, 'FortiGate Single VM with ARM template' has been used. 
- Select the respective WAN subnet. Here, FortiGate has received a new WAN IP from the same subnet. - Select the respective LAN subnet. - Create the required Security Profiles and Firewall Policies. - Integrate with both on-cloud and on-premise Domain Controllers.
- Create the required User Groups.
Create Firewall Policies on top to allow WVD Traffic - Use an ISDB such as Microsoft Azure, Microsoft DNS, or Microsoft Office 365. - Refer to the following Microsoft article: https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list
- Create the required Web Filter, App Control, and IPS profiles. - Configure the respective Firewall Policies for different Users/Groups.
Note: All policies should be BELOW the WVD Safe URL’s policy. 
Phase 2: Testing Test the following: - The connection of the FortiGate to ADCs. - The installed FSSO Agents on DC and the TSAgent on WVD Terminal Servers. - FSSO Agent configuration – DCAgent mode - https://kb.fortinet.com/kb/documentLink.do?externalID=FD39911 - TSAgent configuration - https://kb.fortinet.com/kb/documentLink.do?externalID=FD45634 - The connectivity and traffic from those instances. - The firewall policies and check if it is following attached web filter profiles. - Test different services as expected.
Successful testing for User Based Traffic should appear similar to the following:
 As seen above, the IP Address of the WVD Terminal Server is the same – 192.168.9.34. However, different user logins can be seen, along with different group memberships. This is the intended behavior. Now identity policies will work as expected.
Article credits: Amarpreet Singh - 'Joshiamarpreet. |
