Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stressballsteve
New Contributor

FSSO and transparent web filtering

Hi, I' m new to the forums and also new to the Fortigate products, so please be gentle ...I have inherited a half configured Fortigate 80C running 4.0 MR3 Patch 6 and I' ve managed to configure it so that I can use domain accounts for SSL VPN authentication, but I can' t for the life of me figure out how to get FSSO working for web browsing . It' s a simple setup with the Fortigate plugged into the LAN and into the Internet facing routing. Web browsing works with no issues and when setting web filters, sites are blocked so everything appears to be working on that front. The issue is that I cannot get FSSO to work for web browsing. When I enable it, users cannot browse the web and I get " AD group user failed in authentication" in the event log. I have also tried to just use " Resolve User Names Using FSSO Agent" within the policy and this also fails, users can browse, but in the logs it shows user as N/A... Can anyone help a desparate man? I' m pulling my hair out over this one (and I don' t have a lot left). Thanks in advance, Steve
16 REPLIES 16
stressballsteve
New Contributor

you had me confused with your previous post ;-) here is the output from the FSSO group next edit " groupname" set group-type fsso-service set member " CN=groupname,OU=my OU,DC=company,DC=com" next One thing I have noticed is that I have set everything to use standard rather than advanced, so in theory just use domain/object, but everything appears to be using the distinguished name...is it possible to change that on the FSSO agent setup from the Fortigate side? The FSSO agent is setup as standard..hope that makes sense?
rwpatterson

LDAP uses distinguished name. In the FSSO setup, Standard uses ' domain\group' . I' m using standard mode.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
stressballsteve
New Contributor

OK, I managed to get the SSO group looking like a windows group in the format of domain/object and the console picked this up from the agent, so communication between the agent and FGT appears to work. I have deleted and recreated the FSSO group and then added it into the outbound rule but still no joy :(
rwpatterson

Are you using the forward or back slash?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
stressballsteve
New Contributor

I' m using a " /" It now appears that only 1 user authenticates when I enable the rule and can browse the internet. Looking at the authenticated users tab on the collector agent, I can see numerous users and they are in the correct FSSO group...we' re getting closer, but not quite there yet Thanks again for your help and support
stressballsteve
New Contributor

Hi Bob, Just thought I' d drop you a line and say thanks for the pointers on troubleshooting the issue. Found the problem in the end, it was our DC with the active collector agent on it, I rebuilt this server and now everything is working :-) Thanks again Steve
rwpatterson

Who woulda thought... Glad you got to the bottom of it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors