Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Agent-based FSSO for Windows AD

in my fortigate firewall I have several LAN networks and I would like to implement Agent-based FSSO for Windows AD since within
of my organization we are several users. The purpose is to have greater access control of the users of my
organization.
My question is if having several lan networks should I have several fsso agents? I understand that the agent must be installed on a server and from there configure the user groups. I found this url on the topic.
Thanks for your support.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136#:~:... %3E%20External, created%20under%20the%20same%20entry.

1 REPLY 1
Markus_M
Staff
Staff

Hi,

 

no, different subnets are no problem. The agent does not care.

The Collector Agent receives a logon event either via polling, TS Agent or DC Agent. The event contains username and workstation. The workstation gets a DNS lookup and we have the IP. The username gets a group membership lookup, and we get the groups. The group filter has to match one of the groups and then this user can be transferred to the firewall with that coupled IP+user and a group. Subnet is irrelevant unless it is for network data transport, as Collector has to poll over another router to a DC in another subnet. That however is unrelated to the polling results.

 

The best info we have for this is this handbook.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/482937/agent-based-fsso

The FSSO/Collector agent is required only to be installed on a domain member host, not necessarily a DC. The DCAgent is not required.

 

Best regards,

 

Markus

Labels
Top Kudoed Authors