Good day,
I am working on a project to move from Domain Joined Windows 11 computers to Microsoft Entra Only Joined computers, I have a FortiGate FGT200F with Firmware 7.X which currently authenticates users via FSSO in the local Windows Domain via LDAP to determine which Web Filter Policies to apply based on their Active Directory group membership.
My test Entra Only joined Windows 11 computers are having issues getting the correct Web Filter Policies from the FortiGate and are ending up going to the Catch-All policies, does anyone have any experience with how to do authentication with Entra Only Joined computers on a FortiGate?
I have Microsoft Entra Connect Sync Pass-through authentication setup and it is working to authenticate Entra Only computers to the local Active Directory so users can gain access to network resources.
Would I need to create groups in Entra the same as the local Domain groups and authenticate to them? And if so, how is this done?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Traditional FSSO doesn't see pure Azure/Entra-joined computers.
There's two general options you can take:
FSSOMA (...mobility agent) - Needs FortiAuthenticator and FortiClient (FCT can be free). Monitoring user logon sessions is now supported for Entra domains. Under ideal conditions the users will not see any difference. (apart from maybe noticing that FortiClient is now installed :) )
Captive portals - Captive portal authentication can be configured and supports SAML. Fairly easy to setup, but disruptive to traffic. (HTTP/S redirected to captive portal, other traffic dropped, until user authenticates)
Yes, sounds about right. The base VM + user limit (regular & FSSOMA) increases are one-time cost. The support renewal would be recurring. Thought I am not sales, so if/when this starts being seriously interesting, make sure to verify with a partner/distributor/sales.
Traditional FSSO doesn't see pure Azure/Entra-joined computers.
There's two general options you can take:
FSSOMA (...mobility agent) - Needs FortiAuthenticator and FortiClient (FCT can be free). Monitoring user logon sessions is now supported for Entra domains. Under ideal conditions the users will not see any difference. (apart from maybe noticing that FortiClient is now installed :) )
Captive portals - Captive portal authentication can be configured and supports SAML. Fairly easy to setup, but disruptive to traffic. (HTTP/S redirected to captive portal, other traffic dropped, until user authenticates)
Thanks for the information, I was thinking I could also use FortiClient VPN and EMS to push out the Web Filtering profiles to users, but I would have to purchase EMS, not sure which is the best or cheapest. EMS or FortiAuthenticator? I am currently using the free version of Forticlient VPN.
That is certainly an option as well, although given that the filtering would be moved to the client, you would probably need to use some fairly wide-open firewall policies on the FortiGate. That might be hard to manage (what if there's a client that doesn't have the FCT+webfilter, or it's just not working temporarily?).
Last I checked the basic cost for EMS was around $10 per user per year for the VPN/ZTNA license and around $40 per user per year for the EPP license (you would want this for the webfiltering function). This will of course fluctuate further based on discounts and higher number of users and/or licensed years.
Base VM license for FAC is around $2k (100 users, so $20 per user). The VM itself is perpetual, but you will need to consider buying support entitlement license to interact with TAC support. The complication with FAC is that the license for FSSOMA is separate, so you'd need to get that too. (FCC-FAC2K-LIC for 2K users is the smallest), and if the FortiClient's aren't EMS-managed, you'd need to handle deployment, configuration, and management on your own.
Created on 10-09-2024 03:07 AM Edited on 10-09-2024 03:08 AM
Hi, Thanks for the information, I have 300 users so for the FAC solution it would be around:
FAC-VM-BASE for 100 users 2k (one-off cost?)
FAC-VM-100-UG for 100 users x2 2k (one-off cost?)
FAC-FAC2K-LIC for 2k users 2k (oning cost?)
Optional TAC support license. (oning cost?)
Does this sound right?
Yes, sounds about right. The base VM + user limit (regular & FSSOMA) increases are one-time cost. The support renewal would be recurring. Thought I am not sales, so if/when this starts being seriously interesting, make sure to verify with a partner/distributor/sales.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.