Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcm05
New Contributor

FSSO Question for 2 domains

I currently using explicit proxy on domain a.com with a primary FSSO agent on both domain controllers in domain a.com and everything is working fine. Now we have begun testing a new domain environment domain b.com at a remote location across an mpls circuit. Both a.com and b.com domains are trusted with each other and when I open my FSSO agent on domain a.com I can see domain b.com to monitor. I have created a new ldap server on my fortigate and I can connect to b.com domain when test connectivity. So on domain b.com do I need to install a new FSSO agent and add another agent on the fortigate or do I just install the DC agent on domain b.com and point the collectors to my FSSO agents on my current a.com domain. Im on version 5.6.8 at the moment and Im a little confused on what I need to install on domain b.com DC either the FSSO agent or just the DC agent.

2 REPLIES 2
Fishbone_FTNT

Hi John, you have two options: 1 - simpler - install on b.com another FSSO CA - if you can. This is much easier to operate and will work well.

2 - complex - you can, as you suggested, to point DCAgent from b.com -> ca.a.com, but in that case you need to configure specific LDAP server for b.com on ca.a.com. Besides that, you need to create correct group filter between fgt and ca. This will be tricky, since you can have only one LDAP server selected in Fortigate and in FSSO CA too. Luckily, for such a cases, 'config user adgrp' can be edited manually. Or you can manually edit group-filter on CA, both ways are possible.

 

So my advice, unless you really can't, go for 1/.

 

Fish

smithproxy hacker - www.smithproxy.org

jcm05

I beleive I should be able to go OP1 route. Son once I install the FSSO collector on the new DC b.com I also need to add that into the Single sign on agent section as another FSSO agent with ip and password I set on the FSSO agent. I was always a little confused on the single sign server as there is a primary FSSO agent and then a FSSO agent with the ability to add more thought it was more for failover but seems I might need to add the new one I install as well.

Labels
Top Kudoed Authors