Collector Agent in an multi site AD environment, How to Authenticate Users?

degwi · ‎01-27-2017

Hi all,

I'm in the process of setting up Fortigate as an Proxy/web-filter. For this, I have created Usergroups in our (2008)-AD and have installed DC Agents and Collector Agents (CA).

We have an Multi-Site Active Directory environment (about 25 AD-Sites), with AD-intergrated DNS and with one single firewall for all sites.

As soon as an User logs in, the DC-Agent will inform the CAs. The CA will do an (reverse) DNS Lookup on the Workstation/IP.

As long as the client is in the same AD-Site, the Lookup will work, but as soon as the client has its login Server in an different AD-Site, the DNS Lookup will fail in the beginning. after the AD-Sync, the Lookup will work.

This AD-Sync is set to the minimun time of 15-minutes, this means that the DC- Controllers will sync every 15 Minutes with its direct peer. (From the outer Leaf to the CA there is an Max way of 3 AD-Hops, meaning max 3 * 15 Minutes to Sync. But even one Sync cycle is to much.)

My Question is, who has an equall environment with multiple AD-Sites, and how do you Authenticate the Users? Also Using DC-Agents and collectors? Using a different Authentication method?

Thanks for the feedbacks

Willem

Wyzz · ‎01-27-2017

Why would the client use a DC not within it's own site?

A customised Forticlient (free) can do FSSO (FAC needed) and that works pretty good. We try to use it as primary method to avoid problems with roaming users (wired<->wireless), computers that go in standby,...

Even on top of that you could do a captive portal combined with a specific LDAP server.

degwi · ‎01-27-2017

Wyzz wrote:
Why would the client use a DC not within it's own site?

Hi Wyzz,

The client does use the DC within its own site. But the Collector Agent may/is in an different site. The collector Agent does the DNS Lookup on its local system, the AD-Sync will be timely later so the IP Record is not yet set for a new record. Finally the Fortigate is connects to the Collector Agent.

Wyzz wrote:
A customised Forticlient (free) can do FSSO (FAC needed) and that works pretty good. We try to use it as primary method to avoid problems with roaming users (wired<->wireless), computers that go in standby,...

ok, the Forticlient is free but the licences aren't. We do not have a FAC.

Do you manage the Forticlients with special Settings like URL-Filter for the mobile devices?

We have Forticlient in use for the mobile Users, but only the VPN Part is installed.

Wyzz wrote:
Even on top of that you could do a captive portal combined with a specific LDAP server.

I didn't get this? what is mend with this?

Thanks

Willem

Agent_1994 · ‎12-11-2017

We have the same problem at a customer's.

Did anyone solved this?

degwi · ‎12-11-2017

Hi Agent 1994

No, I did not solve it yet.

I'm working on a solution with Forticlients as Wyzz wrote.

Reporting Login and IP changes (LAN-WLAN) to the Forti Authenticator server.

During my PoC I noticed that the client does not always notify the change from LAN to WLAN to the FortiAuth Server.

For this we opened a case at Forti. Still waiting on response.

romanr · ‎12-11-2017

Hi,

if you want a multi site setup to work fully troublefree, there is no way around using the Forticlient single-sign-on agent & Fortiauthenticator.

If this is not possible from a budget point of view.... there are some tips i can give:

- use dc agents on all dcs

- all dc agents point to the 2 collector agents (this does not generate that much traffic)

- do a proper group and "ingore user list" configuration (you don't want to monitor all those service accounts!)

- all firewalls receive authentication information from those CAs

- have proper filters on the CAs for IP filtering!!

- you can use additional logon retrieval options on the CAs (like for Exchange Servers, ...) have a look into the advanced section

Br,

Roman