Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
migacz
New Contributor III

FSSO, one domain, few locations

Hi i need to deploy FSSO in organization. We have one Active Directory domain on Windows 2012R2. We have 6 location, 2 DC in HQ and one DC server at each location. Each location have own FG. FG are connected by ipsec vpn, mesh network. In 2 location we have low speed WAN, so we need limit transmission. I dont want only one collector in HQ I think about to install colletor each location and monitor local DC but i couldnt find if this is possible and how can i do that.

Any help?

5 REPLIES 5
Fishbone_FTNT

Hi,

install FSSO CA in the central location, use polling only for HQ  servers. Install DCAgent on DCs across WANs, send DCAgent logons to HQ. You will have whole-domain logon list on HQ FSSO CA.

 

You can install FSSO CA also in each location, processing only local DCAgent logons (you will need to configure DCAgent for additional FSSO CA IP - the local one), but in that case you will have only local logons there on branch FSSO CA. 

 

 

This is simplest installation possible, based on your description. It can be further extended, based on your requirements. I am assuming you have flat AD design, or at least domains are in forest.

 

Fishbone )(

smithproxy hacker - www.smithproxy.org

migacz
New Contributor III

Fishbone, thanks for fast reply

Yes, i have flat AD, one domain in forest. i have question to first scenario. If i install only one FSSO collector in HQ, whats happens when it goes down? Will users in other offices have access to the network?

Fishbone_FTNT

Hi,

lets first talk on how redundancy works in FortiOS.

Consider following setup:

config user fsso 
   edit "doma"
       set server "192.168.122.10"
       set server2 "192.168.122.11"
   next
   edit "domb"
       set server "192.168.123.10"
   next
end

DomA will have exactly one connection at time to either 192.168.122.10, or to 192.168.122.11. Method is round-robin (so no active, backup; primary, secondary approach). Independently on this, DomB will have a connection towards 192.168.123.10 FSSO CA server. DomA and DomB both compete on records in the same list ("diag debug auth fsso list" is that one) in the current vdom. So carefully with this, but it is possible. 

 

If connection is lost between FortiOS and FSSO CA, and there is no other server available, FortiOS keeps records there for some limited time (exact behaviour differs between FortiOS versions). FortiOS 5.6.x also marks affected "diag debug auth fsso list" entries with "Stalled" string at the end of the line.  This is also answer to your question.  If you have firewall policies matching on FSSO groups and FSSO CA is down, access will work for some time, until stalled "diag debug auth fsso list" are removed. IIRC it's 10 minutes in FortiOS 5.6. In other words, it's good idea to have redundancy -- two FSSO CAs.

 

Regards,

 Fishbone )(

 

smithproxy hacker - www.smithproxy.org

migacz
New Contributor III

Fishbone thanks alot for your help

Fishbone_FTNT

Pleasure to help. ;)

F)(

smithproxy hacker - www.smithproxy.org

Labels
Top Kudoed Authors