Hi team:
The client is headquartered in China, 70 percent of its employees are located in China, and 30 percent are located overseas.
Our plan is on-premise forticlient ems,Due to the Internet in China, we hope to deploy a set of EMS overseas to deal with the problem of network connectivity, so do you have any suggestions to solve this problem?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi jared,
to be honest I do not see "problem" in a first place.
Good network design consist usually of many moving parts and question-answer steps.
Like are those HQ and overseas locations supposed to interact? If so then how? Are those overseas locations just few branches or road-warrior employees everyone with his own NTB? How they are supposed to authenticate to corporate resources, is it single domain, AD perhaps? If so how they will be authorized, some FSSO, SSOMA or ZTNA applied?
Split those EMS is good also for possible redundancy. But how they sync?
Therefore it seems to me more like brainstorming project, than anything which could be solved by one answer on some forum.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi jared,
to be honest I do not see "problem" in a first place.
Good network design consist usually of many moving parts and question-answer steps.
Like are those HQ and overseas locations supposed to interact? If so then how? Are those overseas locations just few branches or road-warrior employees everyone with his own NTB? How they are supposed to authenticate to corporate resources, is it single domain, AD perhaps? If so how they will be authorized, some FSSO, SSOMA or ZTNA applied?
Split those EMS is good also for possible redundancy. But how they sync?
Therefore it seems to me more like brainstorming project, than anything which could be solved by one answer on some forum.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Created on 06-01-2022 06:27 PM Edited on 06-01-2022 06:31 PM
Thanks for the reply, Tom xSilver.
I'm sorry.
This question is not related to any technology, just some discussion about the architecture.
There is no identity integration, no combined domain functionality, just as a compliant SSLVPN access.
The overseas part we are dealing with is about telemetry linkability.
It is simply the point where we do not want overseas employees to have direct access to the Chinese Internet.
Perhaps this piece should be deployed two split processing.
I just heard some rumors on Great Chinese FireWall, so I would even doubt it would be doable to have reasonably reliable and stable single "domain" setup.
And as you mentioned you do not even want to have those overseas interconnected to china site, then the best would be to design it as split setup from very beginning.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Yes, that's not a rumor, you already got the answer I wanted in your answer, thanks a lot。
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.