there is not a single "right" way to configure the FSSO and that's why you are getting different answers from support.
There is multiple modes/ways to set FSSO properly and every one has it's own strengths and weaknesses.
- agent mode (DC/TS agents + collector) si considered the most robust solution. But some admins do not like, or their corporate security policy do not allow them to instal anything non-MSFT onto DC. As this more rely on agent installed on every DC and TS, then it's this weak point which can revert this mode useless (unacceptable) for certain customers.
- agentless/polling .. and this can be done from FortiGate or from Collector. And to make it "simpler" there are 3 polling modes on Collector side, while FortiGate does WinSec poling only. I'd consider Winsec better then NetAPI. And WinSec+WMI better then WinSec alone. WinSec poling is good to get logon events like 4624 made by MAC-OS workstations. And when polling then definitely from Collector and not from FortiGate. But hey, if you have SoHo deployment, one DC, 20 users .. well then polling from FortiGate might be useful option. For anything bigger I'd use standalone Collector (it's free so why not to use that and spare resources on FortiGate).
When running standalone collector, use it in Advanced mode (mean LDAP group format). As if you add LDAP to FortiGate's FSSO Agent config, it will let you use that LDAP to choose user groups into filters and set that filter on Collector from FortiGate. And FortiGate will do so in LDAP format. Match.
If you have more FortiGate units and want a same group filter for all, then rather set that filter on Collector, as Default (for all connected FortiGates which did not pushed their own specific filter), and let FortiGate without LDAP in FSSO to gather groups from Collector.
Not enough? Bigger network ? Tiering! Yes, FortiAuthenticator has built-in Collector as well and can scale up. Plus can do RADIUS accounting to FSSO, Exchange serves polling, syslog to FSSO, SAML and more .. basically any authentication into FSSO and to FortiGates. Part of that could be done even in standalone collector.
- if you have Collector on FortiGate, you do not need dual LDAP as that LDAP is not used for group membership, but just for group filter settings and ease of administration.
- MAC-OS in the network ? WinSec polling from Colelctor
- Terminal Servers ? Install TSAgent on each of them, unless you want to use explicit proxy (WAD) on FortiGate and does session based NTLM authentication via proxy (older way to handle TS).
- cannot install DC Agents ? Use polling from Collector
- cannot install Collector on DC ? Install on any domain member running server version of Windows, not necessarily DC
Hope I haven't scared you much and gave a bit of insight why FSSO deployments can differ but still be a best way for specific situation/restrictions/needs.
Tom xSilver, planet Earth, over and out!