I currently using explicit proxy on domain a.com with a primary FSSO agent on both domain controllers in domain a.com and everything is working fine. Now we have begun testing a new domain environment domain b.com at a remote location across an mpls circuit. Both a.com and b.com domains are trusted with each other and when I open my FSSO agent on domain a.com I can see domain b.com to monitor. I have created a new ldap server on my fortigate and I can connect to b.com domain when test connectivity. So on domain b.com do I need to install a new FSSO agent and add another agent on the fortigate or do I just install the DC agent on domain b.com and point the collectors to my FSSO agents on my current a.com domain. Im on version 5.6.8 at the moment and Im a little confused on what I need to install on domain b.com DC either the FSSO agent or just the DC agent.
you have two options:
1 - simpler - install on b.com another FSSO CA - if you can. This is much easier to operate and will work well.
2 - complex - you can, as you suggested, to point DCAgent from b.com -> ca.a.com, but in that case you need to configure specific LDAP server for b.com on ca.a.com. Besides that, you need to create correct group filter between fgt and ca. This will be tricky, since you can have only one LDAP server selected in Fortigate and in FSSO CA too.
Luckily, for such a cases, 'config user adgrp' can be edited manually. Or you can manually edit group-filter on CA, both ways are possible.
I beleive I should be able to go OP1 route. Son once I install the FSSO collector on the new DC b.com I also need to add that into the Single sign on agent section as another FSSO agent with ip and password I set on the FSSO agent. I was always a little confused on the single sign server as there is a primary FSSO agent and then a FSSO agent with the ability to add more thought it was more for failover but seems I might need to add the new one I install as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.