Fortigate 80F 6.4.10 single domain / 3 subnets / one DC per subnet.
We have Security Fabric / External Connectors / AD Connector set up with 3 AD connectors, one for each DC.
I see that there are Connector Objects for each AD Connector - we have made the all the same. So, that's a lot of connector objects it might seem.
We want to have redundancy, thus 3 DCs. So, it seems consistent for each AD connector to have all the Connector Objects.
Is that good practice? Or should only one AD Connector be populated with Connector Objects?
Also, we have added each and every AD User and we have added an AD Group with all the same users.
This seems appropriate. Is it?
In one AD Connector, we are unable to add those AD Groups - get an error that there are too many.....
Thus this question.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@fred339 I believe @aahmadzada is saying to avoid using the "Poll Active Directory Server" connector in the foritgate and instead use the "FSSO Agent on Windows AD" connector
It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates.
In general Microsoft recommends to not run any other applications or services on a domain controller.
If you have three DCs and a lot of groups, have you looked at setting up a FSSO server? You do not need a license for it, just download the agent to run on a windows server (not a DC) and then install the DC agents. The FSSO server will collect all the necessary data from the DCs and just send the results to the Fortigate. Removes a lot of the overhead from the fortigate.
This is an older doc but the process is pretty much the same now:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/615946/agent-based-fsso-for-windows-ad
@distillednetwork Ah! Thank you!
OK, after some thought, I see how this would reduce the number of objects by a factor of 3; since there would be only one External Connector needed for the one AD Connector on the FSSO server.
I guess that an AD User is one connector object and an AD Group is one connector object - no matter how many members in the Group.
So, this raises a question:
If there are 3 DC Agents each on one of the 3 DCs then can the FSSO Agent on one of them be the only FSSO Agent - instead of on a separate server? You said:
"download the agent to run on a windows server (not a DC)"
Somehow that seems counterintuitive when the DC-resident FSSO Agents have to work - the difference being that they don't have to collect from other DCs? But they seem to! Would that only entail setting up one External Connector on the Fortigate?
Thanks again!
The FSSO is a collector server and should not be run on a DC. Once you setup the FSSO collector server, it will install DC Agents on each DC you want to manage to pull the data in. You can pick which DCs to montior (you will want to do all in your domain). Then in the Fortigate you will use the FSSO connector (not AD Connector) to have the fortigate get the FSSO details.
The FSSO agent server just runs as the middle man collecting the data and sending it to Fortigate so the firewall doesn't have to process that data.
Created on 10-24-2022 01:12 PM Edited on 10-24-2022 01:12 PM
I'm not grasping all of this yet. I have DC Agents on all the DCs.
I have FSSO connectors on the Fortigate.
I have an FSSO Agent installed on all of the DCs but, it appears, am only really using one of them.
Are you saying that to use DC Agent Mode, one has to have a separate Windows Server to run FSSO Agent?
It seems to be working....
Would definitely suggest avoid using the built-in fsso poller(AD Connector) as it has a lot of limitations and is usually used only for test/demo purposes.
FSSO Collector agent on the other side has a wide range of settings and flexibility, and is scalable and robust compared to the local poller. A list of differences can be found here:
@aahmadzada Thank you for the suggestion! I must say that I have been and remain somewhat confused because of all the variation in terms being used. This question and replies seems like a good example.
On the Fortigate / External Connectors there appear to be 2 choices in our case today:
FSSO Agent on Windows AD and Poll Active Directory Server. But, I don't see "built-in FSSO poller (AD Connector)" as such. Also, it's not clear what FSSO Collector agent refers to here...
We have installed DC Agents on the DCs and the approach seems to be working....
?
@fred339 The FSSO agent can be downloaded from the support site. Here is a guide that talks about how to setup the FSSO agent server and link it to your DCs and the fortigate:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
This is what the data flow looks like when using the FSSO collector agent:
@distillednetwork Thank you. Well, I think this approach is pretty clear to me. I do appreciate the diagram! We haven't taken this approach so far.
But, right now, my main question resulting from responses is this:
@aahmadzada Thank you. What the heck is "the built-in fsso poller(AD Connector)"?
@fred339 I believe @aahmadzada is saying to avoid using the "Poll Active Directory Server" connector in the foritgate and instead use the "FSSO Agent on Windows AD" connector
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1548 | |
1032 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.