Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Simple FSSO terminal server setup

Hi guys,


this is what we are trying to achieve, we have a single windows terminal server where multiple users login. Based on AD group membership of these users/or local FGT user groups will determine what access they are allowed. What I want o avoid is having to install anything on our domain controllers. Also we do not need to poll the domain controllers as we are only interested in user son this single machine.


Can anyone give me steps on how to achieve this? I do have an AD service account and local admin rights on the box and full control of the FGT, I do not have full control of the DC's. All I really want is to get the login information from the terminal server back to the FGT firewall.





it seems to me that you do have two options:



- install Collector agent on DC or any domain member Windows machine

- install TS Agent on that terminal server, set it to report to the collector

- set FGT to use collector as FSSO Agent

- on FGT set groups you are interested in, map those AD groups to FSSO firewall groups and use those in policies

- passive authentication, no user interaction needed

- some network hostile apps might have issues with port assignments and might not run properly

- all normal apps can use this as FSSO infrastructure will notify FGT through Collector about IP/port/user/groups combo


B) NTLM or Kerberos + Explicit proxy

- make this session based auth and authorize all the traffic from TS through explicit proxy on FGT

- expect some performance drop on FGT, depends on amount of proxied traffic

- active auth, user interaction is expected, except browsers are set to do auth on background

- browser sessions and only NTLM/Kerberos auth capable apps can use this


Kind regards,


Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

New Contributor II

Thanks Tom, is it possible to have the Collector Agent and TS agent on the same box?



Yes, Agents (DC/TS) and Collector can run on the same "box" (DC).

If Collector runs in DCAgent mode on the DC which is supposed to be monitored (and all the DCs which can qualify as logonservers from MSFT standpoint has to be monitored in this mode), then there is no other way to do so. As DCAgent runs on DC where Collector is, I would suggest to use external NIC IP instead of just for config clarity purposes.


If DC with Collector is terminal server (TS), run TSAgent.

Mix of TSAgent + DCAgent + Collector is also technically possible, but usually not used as DC usually do not serve as TS.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer

Top Kudoed Authors