Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jared
New Contributor

Best Advice for Multisite Deployments

 

Hi  team:

The client is headquartered in China, 70 percent of its employees are located in China, and 30 percent are located overseas.

Our plan is on-premise forticlient ems,Due to the Internet in China, we hope to deploy a set of EMS overseas to deal with the problem of network connectivity, so do you have any suggestions to solve this problem?

1 Solution
xsilver_FTNT
Staff
Staff

Hi jared,

to be honest I do not see "problem" in a first place.

Good network design consist usually of many moving parts and question-answer steps.

Like are those HQ and overseas locations supposed to interact? If so then how? Are those overseas locations just few branches or road-warrior employees everyone with his own NTB? How they are supposed to authenticate to corporate resources, is it single domain, AD perhaps? If so how they will be authorized, some FSSO, SSOMA or ZTNA applied?

Split those EMS is good also for possible redundancy. But how they sync?

 

Therefore it seems to me more like brainstorming project, than anything which could be solved by one answer on some forum.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

4 REPLIES 4
xsilver_FTNT
Staff
Staff

Hi jared,

to be honest I do not see "problem" in a first place.

Good network design consist usually of many moving parts and question-answer steps.

Like are those HQ and overseas locations supposed to interact? If so then how? Are those overseas locations just few branches or road-warrior employees everyone with his own NTB? How they are supposed to authenticate to corporate resources, is it single domain, AD perhaps? If so how they will be authorized, some FSSO, SSOMA or ZTNA applied?

Split those EMS is good also for possible redundancy. But how they sync?

 

Therefore it seems to me more like brainstorming project, than anything which could be solved by one answer on some forum.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

jared

 

Thanks for the reply, Tom xSilver.
I'm sorry.

This question is not related to any technology, just some discussion about the architecture.

There is no identity integration, no combined domain functionality, just as a compliant SSLVPN access.

The overseas part we are dealing with is about telemetry linkability.

It is simply the point where we do not want overseas employees to have direct access to the Chinese Internet.

 

Perhaps this piece should be deployed two split processing.

 

xsilver_FTNT

I just heard some rumors on Great Chinese FireWall, so I would even doubt it would be doable to have reasonably reliable and stable single "domain" setup.

And as you mentioned you do not even want to have those overseas interconnected to china site, then the best would be to design it as split setup from very beginning.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

jared

Yes, that's not a rumor, you already got the answer I wanted in your answer, thanks a lot。

Labels
Top Kudoed Authors