Configuring the FSSO Collector agent for Windows AD

Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Configuring the FSSO Collector agent for Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units.

To avoid this problem, you can configure the Fortinet Single Sign On Collector agent to send logon information only for groups named in the FortiGate unit’s security policies. See “Configuring FortiGate group filters”.

On each server with a Collector agent, you will be

• Configuring Windows AD server user groups

• Configuring Collector agent settings, including the domain controllers to be monitored

• Configuring Directory Access settings

• Configuring the Ignore User List

• Configuring FortiGate group filters for each FortiGate unit

• Configuring FSSO ports

• Configuring alternate user IP address tracking


	In some environments where user IP addresses change frequently, it might be necessary to configure the alternate IP address tracking method. For more information, see “Configuring alternate user IP address tracking”.