Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
flamer
New Contributor II

Created on ‎07-12-2018 10:03 PM

Simple FSSO terminal server setup

Hi guys,

 

this is what we are trying to achieve, we have a single windows terminal server where multiple users login. Based on AD group membership of these users/or local FGT user groups will determine what access they are allowed. What I want o avoid is having to install anything on our domain controllers. Also we do not need to poll the domain controllers as we are only interested in user son this single machine.

 

Can anyone give me steps on how to achieve this? I do have an AD service account and local admin rights on the box and full control of the FGT, I do not have full control of the DC's. All I really want is to get the login information from the terminal server back to the FGT firewall.

 

9185
0 Kudos
3 REPLIES 3
xsilver_FTNT
Staff
Staff

Created on ‎07-13-2018 12:51 AM

Hi,

 

it seems to me that you do have two options:

 

A) FSSO

- install Collector agent on DC or any domain member Windows machine

- install TS Agent on that terminal server, set it to report to the collector

- set FGT to use collector as FSSO Agent

- on FGT set groups you are interested in, map those AD groups to FSSO firewall groups and use those in policies

- passive authentication, no user interaction needed

- some network hostile apps might have issues with port assignments and might not run properly

- all normal apps can use this as FSSO infrastructure will notify FGT through Collector about IP/port/user/groups combo

 

B) NTLM or Kerberos + Explicit proxy

- make this session based auth and authorize all the traffic from TS through explicit proxy on FGT

- expect some performance drop on FGT, depends on amount of proxied traffic

- active auth, user interaction is expected, except browsers are set to do auth on background

- browser sessions and only NTLM/Kerberos auth capable apps can use this

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2652
0 Kudos
flamer
New Contributor II
In response to xsilver_FTNT

Created on ‎07-16-2018 08:34 PM

Thanks Tom, is it possible to have the Collector Agent and TS agent on the same box?

 

2652
0 Kudos
xsilver_FTNT
Staff
Staff
In response to flamer

Created on ‎07-16-2018 11:18 PM

Yes, Agents (DC/TS) and Collector can run on the same "box" (DC).

If Collector runs in DCAgent mode on the DC which is supposed to be monitored (and all the DCs which can qualify as logonservers from MSFT standpoint has to be monitored in this mode), then there is no other way to do so. As DCAgent runs on DC where Collector is, I would suggest to use external NIC IP instead of 127.0.0.1 just for config clarity purposes.

 

If DC with Collector is terminal server (TS), run TSAgent.

Mix of TSAgent + DCAgent + Collector is also technically possible, but usually not used as DC usually do not serve as TS.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2652
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.