Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NkMike
New Contributor

FSSO and WebFiltering

Hello, We are trying to configure FSSO and Web Filtering but without much success. The topology of the network is as follows: a. LAN > ISA > FortiGate (Transparent) > WAN b. All users on LAN are routed from the ISA server. ISA server is also the 2nd Domain Controller. c. Primary Domain Controller has the FSSO Collector and Agent. d. We have published the 389 port from DC1 to ISA(DC2) so that FortiGate can use the FSSO. e. We have setup and imported the required Groups on FortiGate (FSSO) and if we execute the following command on CLI we get the required results: CLI > diagnose debug enable CLI > diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- FSSO DC connected FSSO 4.3.0151 f. If we issue the diagnose debug authd fsso list we get the list of users authenticated (more than 100 entries) e.g. IP: 192.168.1.135 User: xxx IP: 192.168.1.138 User: xxx …………. g. Under the Policy we have setup the authentication with a web profile to block or monitor user activities. h. However on the logs we see only 3-4 users from the domain and all the rest are shown as “Guest”. These are allowed since we also include the FSSO Guest groups. i. Problem is that 100+ users go out as Guests, although they are part of the groups from the domain and have authenticated. Please advise how we can also identify all users and configure the require web filtering policy. At the moment although the web filter profile is applied, the reports created with the Guest accounts do not provide any insight. It seems that FortiGate does not recognize most users from the Domain, the connection between the FSSO Collector and Fortigate works. Do we need to forward any other port besides 389 on the ISA? FortiGate is placed transparently in front of the ISA server and before the WAN. The Collector Agent seems to work, but for some reason, FortiGate sees 100+ users as Guests, and only 3-4 as actual users. WAN Modem IP: xxx.xxx.xxx.xxx FortiGate IP: xxx.xxx.xxx.x ISA NIC1 IP: xxx.xxx.xxx.x ISA NIC2 IP: 192.168.1.2 DC1 IP: 192.168.1.1
3 REPLIES 3
Alivo__FTNT
Staff
Staff

Hi, It appears that Collector Agent might be configured in Standard Mode (Set Directory Access in GUI) ..while groups are configured in Advanced mode... Collector agent AD Access mode - Standard versus Advanced The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to username information. Standard mode uses regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain. If there is no special requirement to use LDAP— best practices suggest you set up FSSO in Standard mode. This mode is easier to set up, and is usually easier to maintain and troubleshoot. Standard and advanced modes have the same level of functionality with the following exceptions: 1. Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiGate unit. Fortinet strongly encourages users to create filters from CA. 2. Advanced mode supports nested or inherited groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored. If this is your case, proceed with the changes, the run in CLI: diag debug authd fsso refresh-groups

livo

TechnoR05
New Contributor III

Hello, If you have setup and imported the required groups on the Fortigate, then it would seem your basic Collector Agent setup is good. Some things you could have a look at, and/or try, is : - check on the Collector Agent Gui if the 2 check-boxes at the top are checked, ie Monitoring user logon events, and Support NTLM authentication. - Are the browsers used by the 3-4 users seen from the domain configured differently form others, mostly in Tools>Internet options>Advanced>Security : Use Windows integrated authentication ? I must say we still are not exactly sure how our setup works, but it does, with User authentication policies, User groups and Webfilter Profiles, etc. We have a collector Agent monitoring say 20 DCs with DCAgents, but we are at the point where we are not sure what does what exactly, FSSO, NTLM, etc. And I don' t want to get into the détails of that at the moment, let' s just say on our production Fortigate users show as NTLM authenticated, Under User & Device>Monitor, while on the Test Fortigate they show as FSSO . Production FSSO Collector Agent uses DC Agents, and Test FSSO collector Agent uses Polling. Anyway, I hope any of this helps in some way :)
Martin2
New Contributor

bonjour,

je suis entraine de configurer l'integration webfilter sur fsso.

mais je suis un bloquer.

 

FSSO.pngPOLICY.png

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors