Monday, March 4, 2013

Fortinet - client-less FSSO for AD

Following a relatively detailed reply from Fortinet support team it looks like a client-less FSSO needs the following:

  • AD credentials - to configure LDAP a user name/password set is needed with an ability to read from LDAP (a normal user should do). With Win Server 2003 there may be some anomalies with limited user accounts.
  • LDAP - should be configured for each DC, the same credentials will be used to do the pulling.
  • Pulling - by default pulling occurs every 10 seconds, but may be configured for an interval from 1 to 30 sec. Also, ports 8000 and 445 need to be open.
According to support, the behavior is a bit different from classic config. Assuming that the interval is 10sec and a user has logged in just after pulling has occurred. If we assume that in the next 9 seconds the system or the user tries to access Internet, the IP will be classified as guest. Once the pulling passed the IP will be reclassified according to the logs in the DC.

Fortinet considers that client-less method is better for 1-3 DC's but they still think that a collector agent is the best choice for a config with more than 3 DC's.

2 comments:

  1. Also, As confirmed by Fortinet support, you can't set an Ignored user list using the Agent less mode. That means if you have things like AV running as a service account, this doesn't work well. DC agent mode is my preferred method.

    ReplyDelete
    Replies
    1. Thanks for this news! Now I know that I will not use this function.

      Delete