- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSAE Collector / DC Agent design for an extranet ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSAE Collector / DC Agent design for an extranet scenario
In a normal scenario we do not allow access from the outside, into our network. But due to change in our organization we need to expose at least one of our IIS web applications (with Integrated Authentication) from the outside, of course only after first a successfully authentication is made.
We do not want to implement this in the ‘old’ scenario of DMZ with clone of the system and synching/replicating of system data…
Therefore the Fortigate solution with FSAE does appeal. But I do need to take an implementation decision, perhaps somewhat based on my misunderstanding of the technique...
Reading some of the documents I’ve collected informationthat I need at least:
One installation (at least) of a FSAE Collector Agent and it does not need to be installed on a DC. So far OK.
Then the documentation states that we need a FSAE DC Agent on all our DC. This is not OK, at least not in my administrator book.
But hey it seems I do have some saying in the matter perhaps, there are two different modes: DC Agent mode and Polling Mode
The DC Agent mode; the requiring it installed on _all_ DC in the domain or the Polling Mode; requiring non FSAE DC Agent installed at all.
Ohh, there seems to be third option also. NTLM authentication, but only supported in IE and Firefox. Not OK, even if IIS integrated authentication ‘semi-requires’ IE so to speak.
So Polling Mode seems nice. Let’s go with this for a moment:
1. Employee goes to https://extranet.domain.com (from their home computers, not associated with the company in any way)
2. Employee is meet with the Fortigate SSL-VPN login form
3. Employee provide their Windows AD username (without domain) and password
4. Fortigate receives the Windows AD username and password
5. Fortigate passes it to the FSAE Collector Agent
6. The Fortigate FSAE Collector Agent, with Polling Mode, asks the Windows AD DC’s is this information OK
7. The Windows AD DC’s responds, this login credentials is OK with its Windows AD Group membership (in this case)
8. The SSL-VPN portal page, with bookmarks, based on Windows AD Group membership is shown.
9. The Employee clicks one of the HTTP links
10. The HTTP link forwards the Employee to the IIS web application (with Integrated Authentication) and their login credentials to be authenticated with.
11. The employee is now logged on to the IIS web application (with integrated authentication) with the login information from [3.] and without their computes being within and/or member of the actual windows domain.
There is of course many more decision to take late. But to finish this specific post:
Is my option:
at least one FSAE Collection Agent in Polling Mode will achieve my goal to allow employee to login with their windows login credentials and this also allow they to be automatic authenticated in IIS web applications?
Am I missing something, do I need to provide some more information or anything else to make it easier for a design decision?
0 REPLIES 0
Related Posts
- Fortianalyzer - Analyzer/Collector mode License requirement 696 Views
- FSSO with one DC agent and... 486 Views
- Tracking per-system and per-user DNS requests... 1153 Views
- Cisco Meraki / Cisco ISE and... 714 Views
- FSSO - Collector Agent - Unprocessed... 3257 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.