- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Agent based FSSO and multiple/concurrent logons in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agent based FSSO and multiple/concurrent logons into one workstation
Can someone please explain or point me to documentation on what happens when a second/concurrent user logs into a workstation? I'm not very clear on what happens and I haven't been able to find any notes regarding that kind of situation.
Example: AD Domain user01 logs on to a workstation; while working, discovers s/he needs software/plugin installed. AD admin user logs into the same workstation, while user01 is also logged in, to install that software/plugin. Let's also say that the AD admin user account is not in the Ignore User List... What security policy would be active at the point the AD admin user concurrently logs in? Does one supersede the other? And what happens to user01 security policy when the AD admin user logs off? thanks in advance
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have same problem, AD Domain user1 logs on to a workstation, then he needs to make an RDP connection with another AD user2 that has internet connection denied.
The workstation lost internet connection since now the agent has user2 authenticated.
Please someone can give us a clue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can maybe install TSagent (if the computer is used as a a terminal server), or configure NTLM authentification (requiere to configure explicit proxy).
Lucas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
logon event is generated too when another user logs in the workstation. This is why current user is overridden.
You have to implement ignore user list in FSSO Collector Agent to ignore logons for such an user.
Ignore list supports wildcards (not regex), so you can fill ignore list with entries like rdp_admin*.
Note that also maintenance scripts running on workstation can do the same; they can generate logon event and override
current user too.
TSAgent is solution for Terminal Server and is not suitable for one-person workstations. When there is user
logged in via RDP, tsagent will allocate special source port-range for him.
Users without port-range from this IP address will be blocked on Fortigate ... which is probably not really desired in this case.
Fishbone
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically FSSO is using for identity based network traffic access.
Simply , FSSO agent doesn't do anything on server access level/ or AD user level, which means infront of FSSO agent there is no "enterprise admin"/"administrator"/"schema admin" or "normal domain users" etc. It fetches only the user login details from the AD and send to the Fortigate.
You and Fortigate has to decide how to control the traffic with those logins.
For example -
1.Create a security group in AD - " Management Users" and add all management users into that security group.
2. Create a security group in AD - " Normal users " and add other normal users into the group.
3. Filter only those groups ( or as ur wish) - in FSSO agent.
4. Create 2 user groups in Fortigate with "MGMT Users" and "Normal Users" and map them with respective ( above mentioned) FSSO groups.
5. Create a policy for Managment users with source identity as " MGMT Users " and destination x.x.x.x - Here you can apply a 'less restricted' Web Filter profile /application control profile etc.
6. Create a policy for Normal users with source identity as " MGMT Users " and destination x.x.x.x - Here you can apply a 'highly restricted' Web Filter profile /application control profile etc.
Best,
Nihas
Nihas [\b]
Nihas [\b]
Related Posts
- FSSO doesnt work with Fortigate eval... 153 Views
- are excessive tcp reset errors related... 238 Views
- Trouble Receiving DHCP Packet Over S2S... 357 Views
- fortimail laboratory 472 Views
- What are the options for user... 676 Views
Labels
-
FortiGate
6,712 -
FortiClient
1,334 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
341 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
81 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
60 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiAuthenticator
21 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
FortiAP profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.