Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tamim
New Contributor

Does anyone have recent experience with FSSO in 6.X?

Hello,

 

I would like to know if anyone has recent FSSO experience within a Citrix environment?

 

In the summer of 2019, I had my fair share of rather disappointing experience with FortiOS 5.6.x in combination with FSSO while I was testing out within my AD group of 5 members but the user information wasn't as accurate as I hoped for, causing all sorts of login issues for my team members. The plan was to deploy it for the whole Citrix environment to secure our DC environment using user-based authentication for the whole organization.

 

And I was just wondering if anyone had some new experience with the 6.x version since we will deploy soon 6.4.4 for our FGT environment. And was wondering whether we should upgrade the FSSO servers as well or just remove them.

2 REPLIES 2
sw2090
Honored Contributor

We use FSSO since 5.x and we currently run 6.2.7 on FGT100E and 300E. We use FSSO to log into the FGT and FMG using AD Credentials and also for dial up ipsec connections with xauth.

I also tested using AD Objects in Policies with success as we are planning on using this.

We however do not have a citrix environment here but the above works fine.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Alivo__FTNT

Hello, for fsso with citrix on Terminal servers, you  would need also Terminal Server Agents on each TS.

Without it, each new user will overwrite previous user. Why, because the traffic will leave server from same IP. You can't have multiple users on same IP. TS Agent will allocated particular port range to each user as a way to distinguish the users. These ports will be used for users' traffic. In traffic logs for these users, you would notice that originating port will be from a range of ports the user got allocated. In FortiGate run: di de authd fsso list If there is an antivirus r similar on the TS server, it will likely proxy the traffic before it leaves TS and will also change the allocated ports as it is not transparent. This will result in traffic not matching the policy... This, in general, works in most cases. Best Regards,

Alivo

livo

Labels
Top Kudoed Authors