Académique Documents
Professionnel Documents
Culture Documents
Description
This article explains how to deploy FSAE in Standard Mode in an Active Directory environment.
Solution
The FSAE solution consists of two components. At least one Collector Agent must be installed on one Domain Controller, and the Domain Controllers DCAgent component must be installed on the other Domain Controllers.
http://kb.fortinet.com/ kb/microsites/search. do? cmd=displayKC&doc Type=kc&externalId= FD31882&sliceId=1& docTypeID=DT_KCA RTICLE_1_1&dialogI D=28153473&stateId =0%200% 2028151676
4. Specify Credentials to run FSAE service. The selected user name MUST be Domain Admin.
6. Wait for installer to copy all files and finish the installation. Make sure that the "Launch DC agent Install Wizard" check box is selected.
DCAgent Deployment
The DCAgent component could be pushed from the Collector Agent during FSAE installation or at any other time. There is also a standalone DCAgent installer available in case required ports for network installation are not available (tcp/139 and tcp/445). Ensure that the DCAgent component is installed on ALL domain controllers otherwise some logon events will be missed and as a result users will be recognized as guests or blocked (depends on the configuration). 1. If installing DCAgents during FSAE installation, make sure that the 'Launch DC agent Install Wizard' check box is selected before selecting the 'Finish' button. 2. Select Collector Agent IP address and communication port (use the defaults or specify custom settings).
3. Select the domain to be monitored (usually only one domain is displayed, if many domains are displayed select the required one from the list).
4. Select service accounts to be ignored (this is optional. Users can be added to the ignore list whenever needed.)
5. Select all Domain Controllers from the list. If FSAE is being deployed in a particular AD site make sure that all selected DCs are from this site only. Accept default (DC Agent) working mode.
7.
8.
Select 'Finish' to complete the FSAE installation and reboot the Collector Agent Domain Controller.
FortiGate Configuration
1. Connect to WebUI and pen User > Directory Service > Click Create New Button 2. Fill object name and point it to IP address if the DC where Collector Agent was installed. Specify same password as configured on Collector Agent. If deploying more then one Collector agent enter it's IP below (Up to 5 Collector Agents can be deployed)
3. Click on Refresh button until you'll see your AD tree on FortiGate. You may configure group filter on Collector Agent if you'd like to see only particular groups on FortiGate instead of the whole AD tree. You may do this at this stage or any other time, just remember to refresh this view to apply filter
4. Map user group on FortiGate to Ad groups. User > user Groups > Create New 5. Make sure you set group type as Directory Service and select required user group from the list
3. Enable FSAE
4. Select groups and configure protocols, protection profile settlings. Enable logging if required
5. Repeat this step for each mapped group. Assign different protection profiles, allow different protocols as required 6. Add FSAE_Guest_users to identity based policies. Guests are users that are non members of you AD or members of the AD groups with are not included in Group filter. You may use one of the existing protection profiles or create dedicated one for guests only, depending on your Internet access policies
If FSAE is working properly the output should be similar to the following example:
Lab-PLG # diagnose debug authd fsae list ----FSAE logons---IP: 192.168.1.230 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS IP: 192.168.1.240 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS Total number of users logged on: 2
----end of FSAE logons---3. The following successful FSAE authentication events should be seen in the FortiGate event log (Log & Report > Log Access > Remote or memory > Event Log:
Lab-PLG # diagnose debug en Lab-PLG # diagnose debug authd fsae server-status Lab-PLG # Server Name ----------SBS-2003 Connection Status ----------------connected