Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dasilva13
New Contributor

FSSO Best practices

Has anyone ever seen a " Best" practices FSSO deployment page? there are lot of options and settings that can be changed (polling for non-polling) etc and would like to know what FortiGate says is the best method. I have never gotten it to work flawleslly.
4 REPLIES 4
Warren_Olson_FTNT

dasilva, The main factor is the number of users that are authenticating on the network. From there it becomes either a personal choice or a requirement depending on the system resources of the FortiGate itself and the AD servers. For example if you are only tracking 20 users, direct polling of the AD servers from the FortiGate is perfectly sufficient, whereas 20k users you would want to offload some of that work either to an agent on the AD servers themselves or its' own machine so that neither the FortiGate nor the AD servers are taxed at all. Unfortunately there isn' t a guide that says, if you have this model and this many users use this method(i havent found one at least), but make sure youve checked out the currently available resources like below: http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Authentication/FSSO-IBP.html https://www.youtube.com/watch?v=BfMyWBAosK0
dasilva13
New Contributor

Thanks for the reply, but I guess it is a trial and error process more than anything.
lightmoon1992
New Contributor

@dasilva13 I would recommend the use of FSSO agent as it guarantee five nines accuracy as long as you server can respond within 16second time frame. for polling you may experience some time out trials Let us know if you experienced certain difficulties with any of the configurations so we may help Mohammad

Mohammad Al-Zard

 

Mohammad Al-Zard
hklb
Contributor II

Hello, Why use the FSSO agent (for collecting log in DC or installing directly on the DC) instead uses FSSO agent for NTLM authentication ? Did you have any experiences in these two method to authenticate the users?
Labels
Top Kudoed Authors