Description
This article describes the advantages and disadvantages of using Standard versus Advanced Windows Directory Access Methods on the Collector Agent.
Scope
FortiGate.
Solution
The main difference between Standard and Advanced modes is the naming convention for identifying groups.
Standard mode:- uses the regular Windows convention: Domain\Username.
Advanced mode:- uses LDAP: CN=User, OU=Name, DC=Domain.
If there is no special requirement to use LDAP Fortinet recommends a setup of FSSO in Standard mode. This mode is easier to set up, has less configuration, and is usually easier to maintain and troubleshoot.
Standard mode will provide the same level of functionality as Advanced mode except for:
Users have to create Group filters from the Collector agent and not from FortiGate as with Advanced mode. This should not be a constraint and Fortinet strongly encourages users to create filters from CA.
The advanced mode supports nested groups. This means that users may be members of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.
The packet size for the FSSO protocol is limited, thus when using advanced mode in CA without a group filter, only up to 2047 groups could be sent over.
Prior to FortiGate version 6.0.x.
Starting with FortiGate version 6.2.x, 'Standard mode' has been renamed to 'Collector Agent,' while 'Advanced mode' is now referred to as 'Local.
Collector Agent:
- Selected when the FSSO Collector Agent is configured in Standard mode.
- The Group Filter for users is defined on the Collector Agent.
Local:
- Selected when the FSSO Collector Agent is configured in Advanced mode.
- Group Filter for users is defined on the FortiGate.
- The FortiGate can access the user information tree provided by the Collector Agent; however, specific users should be explicitly selected.
Related article:
