Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Entra Only Joined Windows 11 Computers and FortiGa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Entra Only Joined Windows 11 Computers and FortiGate Authentication.
Good day,
I am working on a project to move from Domain Joined Windows 11 computers to Microsoft Entra Only Joined computers, I have a FortiGate FGT200F with Firmware 7.X which currently authenticates users via FSSO in the local Windows Domain via LDAP to determine which Web Filter Policies to apply based on their Active Directory group membership.
My test Entra Only joined Windows 11 computers are having issues getting the correct Web Filter Policies from the FortiGate and are ending up going to the Catch-All policies, does anyone have any experience with how to do authentication with Entra Only Joined computers on a FortiGate?
I have Microsoft Entra Connect Sync Pass-through authentication setup and it is working to authenticate Entra Only computers to the local Active Directory so users can gain access to network resources.
Would I need to create groups in Entra the same as the local Domain groups and authenticate to them? And if so, how is this done?
Thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traditional FSSO doesn't see pure Azure/Entra-joined computers.
There's two general options you can take:
FSSOMA (...mobility agent) - Needs FortiAuthenticator and FortiClient (FCT can be free). Monitoring user logon sessions is now supported for Entra domains. Under ideal conditions the users will not see any difference. (apart from maybe noticing that FortiClient is now installed :) )
Captive portals - Captive portal authentication can be configured and supports SAML. Fairly easy to setup, but disruptive to traffic. (HTTP/S redirected to captive portal, other traffic dropped, until user authenticates)
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sounds about right. The base VM + user limit (regular & FSSOMA) increases are one-time cost. The support renewal would be recurring. Thought I am not sales, so if/when this starts being seriously interesting, make sure to verify with a partner/distributor/sales.
[ corrections always welcome ]
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traditional FSSO doesn't see pure Azure/Entra-joined computers.
There's two general options you can take:
FSSOMA (...mobility agent) - Needs FortiAuthenticator and FortiClient (FCT can be free). Monitoring user logon sessions is now supported for Entra domains. Under ideal conditions the users will not see any difference. (apart from maybe noticing that FortiClient is now installed :) )
Captive portals - Captive portal authentication can be configured and supports SAML. Fairly easy to setup, but disruptive to traffic. (HTTP/S redirected to captive portal, other traffic dropped, until user authenticates)
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information, I was thinking I could also use FortiClient VPN and EMS to push out the Web Filtering profiles to users, but I would have to purchase EMS, not sure which is the best or cheapest. EMS or FortiAuthenticator? I am currently using the free version of Forticlient VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is certainly an option as well, although given that the filtering would be moved to the client, you would probably need to use some fairly wide-open firewall policies on the FortiGate. That might be hard to manage (what if there's a client that doesn't have the FCT+webfilter, or it's just not working temporarily?).
Last I checked the basic cost for EMS was around $10 per user per year for the VPN/ZTNA license and around $40 per user per year for the EPP license (you would want this for the webfiltering function). This will of course fluctuate further based on discounts and higher number of users and/or licensed years.
Base VM license for FAC is around $2k (100 users, so $20 per user). The VM itself is perpetual, but you will need to consider buying support entitlement license to interact with TAC support. The complication with FAC is that the license for FSSOMA is separate, so you'd need to get that too. (FCC-FAC2K-LIC for 2K users is the smallest), and if the FortiClient's aren't EMS-managed, you'd need to handle deployment, configuration, and management on your own.
[ corrections always welcome ]
Created on 10-09-2024 03:07 AM Edited on 10-09-2024 03:08 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Thanks for the information, I have 300 users so for the FAC solution it would be around:
FAC-VM-BASE for 100 users 2k (one-off cost?)
FAC-VM-100-UG for 100 users x2 2k (one-off cost?)
FAC-FAC2K-LIC for 2k users 2k (oning cost?)
Optional TAC support license. (oning cost?)
Does this sound right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sounds about right. The base VM + user limit (regular & FSSOMA) increases are one-time cost. The support renewal would be recurring. Thought I am not sales, so if/when this starts being seriously interesting, make sure to verify with a partner/distributor/sales.
[ corrections always welcome ]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Forticlient SAML Authentication timeout 371 Views
- EAP-TLS request not reaching FAC 161 Views
- Forticlient bug: Does not check C++... 145 Views
- Virtual Server with Exchange OnPrem with... 221 Views
- Trouble with LDAP authentication 650 Views
Labels
-
FortiGate
8,500 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.