Hello,

I'm building a test environment to try out the FSSO feature.

My current setup is a following:

One FortiGate 30E

One Windows 2016 AD DC

One Windows 2016 TS

I've set up the LDAP, FSSO part on the Fortigate, installed the AD agent & collector agent on my DC and the TS-agent on my TS.

On my FortiGate, I've created two policies.

Permitting traffic to WAN if member is in my SG_ONE group

Denying traffic to WAN if member is in my SG_TWO group

I can almost get it to work.

When I log in as user1 (member of SG_ONE) I'm permitted access to the internet (my policy one)

When I log in as user2 (member of SG_TWO) I'm denied access to the internet (my policy two)

BUT - after I have logged in as user2, user one is also denied access to the internet, even though they are not in the same security group

On my collector agent, I can see that the TS-agent logs the two different users from my TS, but only user2 is shown as logged in from the DC agent.

\JVA