Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mehdi_ouazaa
New Contributor II

LDAP auth: connec fortigate to Production DC or create DMZ RODC?

Hi all,

I am planning to use FSSO to authenticate my SSL VPN users.

I need your kind advice wether is it safe to cennect my Fortigate direcly to the prodaction LDAP server ( my AD domain controller) or should I better create a RODC in the DMZ and connect to it?

 

Thanks a lot

2 REPLIES 2
trump26901
New Contributor

I think this would be more of an organizational policy question and how paranoid you want to be.  The FSSO agent runs with the service level of the account you give to it, so as long as you lock that account down to whatever level you desire, you should be fine, but certainly a RODC would provide an even greater level of isolation.  Putting it into the DMZ doesn't provide you with any extra protection unless you plan on using the RODC for something else that would benefit from being in a DMZ since it is the firewall that would be talking to the RODC and it wouldn't give your normal DCs any extra protection because the firewall has access to those networks too.

xsilver_FTNT
Staff
Staff

Hi, for active authentication I would rather use LDAP (or RADIUS via NPS) to authenticate users inside VPNs.

 

FSSO is fine, but designed more like passive authentication which re-use already made logon event. So FSSO Collector (like FortiAuthenticator or standalone Collector Agent installed on DC {or any domain server}) can spot the logon and make FSSO record for the source IP (in Terminal Servers with help of TSAgent it's source IP + source port) based on that logon + LDAP groups + DNS check. As in VPN you probably do not have that domain logon in advance, I would use LDAP/RADIUS instead of FSSO. Unless you want to use FortiAuthenticator and SSOMA (Single Sign-On Mobility Agent) - part of FortiClient installed on connecting workstation. So this way we can have an idea who is logging in, enforce 2FA with token into Windows logon etc.

 

 

And if you still want to know if direct connection to DC is OK. I guess that your FortiGate will access that DC via internal, out-of-band (management) network (or VLAN, or VPN if it's distant DC), so it's supposed to be safe connection a bit. Then I would say, yes. Make an extra admin who will be used on FortiGate to communicate to DC via LDAP regular bind. RADIUS is a bit simplest in this matter as it does use pre-shared secret, so make it strong enough.

 

Tom xSilver, planet Earth, over and out!