Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NSC
New Contributor

FortiAuthenticator best practices

Hello,

 

We are moving pretty much everything to Fortinet (sick & tired of being stuck between vendors pointing fingers at each other).

 

In the process of deploying Fortiauthenticator for MFA on VPN and Desktops, but before I register IP address for already installed and configured FA, I'd like to know if it should be in DMZ?

-Everything is on-prem.

-To start with, we'll b using OTP for MFA

-Windows Environment (Win10/2016)

-Local CA root installed and I can import users from AD.

 

Is there anything else I should watch for?

Thank you!
2 REPLIES 2
lmarinovic
Staff
Staff

Hello,

 

You don't need public IP for FAC. FAC can be behind the firewall, in this case FortiGate as you are moving everything already. 

 

FortiGate can hold that public IP and FAC can stay behind the NAT. You will probably need NAT for example if you want to use FortiToken mobile push notification, because in this case phone will directly contact (FortiGate as FAC is behind the NAT in this case) FAC. 

 

Here is the KB that explains that:

 

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthentic...

 

Make sure that FAC has internet connection also, as it will need that for token assignment for example.

 

Other then that you want to make sure that FAC will have connection to the internal network, because it will need to contact the LDAP server in this case.

Also connection between the FortiGate that holds SSL VPN for example and acts as radius client.

 

FAC also needs to have one IP that will be tied to the license file itself (that IP address can be from private range). You can use the same IP for GUI, authentication, license, but in this case if you change IP for authentication (radius, tacacs, etc..) in the future license will not be valid and you will have to add new IP to the support portal and then redownload and upload license again to the FAC.

 

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-License-update-for-administrative-IP-c...

 

If you have more question, be free to ask them :)

 

Best regards,

 

Lazar Marinovic

 

 

Best regards

Lazar Marinovic
Debbie_FTNT

A note to the above:

The licence and IP address issue Lazar mentioned above applies to FortiAuthenticator VMs only, not hardware devices :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++