this is what we are trying to achieve, we have a single windows terminal server where multiple users login. Based on AD group membership of these users/or local FGT user groups will determine what access they are allowed. What I want o avoid is having to install anything on our domain controllers. Also we do not need to poll the domain controllers as we are only interested in user son this single machine.
Can anyone give me steps on how to achieve this? I do have an AD service account and local admin rights on the box and full control of the FGT, I do not have full control of the DC's. All I really want is to get the login information from the terminal server back to the FGT firewall.
Yes, Agents (DC/TS) and Collector can run on the same "box" (DC).
If Collector runs in DCAgent mode on the DC which is supposed to be monitored (and all the DCs which can qualify as logonservers from MSFT standpoint has to be monitored in this mode), then there is no other way to do so. As DCAgent runs on DC where Collector is, I would suggest to use external NIC IP instead of 127.0.0.1 just for config clarity purposes.
If DC with Collector is terminal server (TS), run TSAgent.
Mix of TSAgent + DCAgent + Collector is also technically possible, but usually not used as DC usually do not serve as TS.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.