Fortinet FSAE Configuring Windows AD server user groups, Configuring collector agent settings

Page 9

 

 

 

Using FSAE on your network

Configuring FSAE on Windows AD

FSAE sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units. To avoid this problem, you can configure the FSAE collector agent to send logon information only for groups named in the FortiGate unit’s firewall policies.

On each domain controller that runs a collector agent, you need to configure

Windows AD user groups

collector agent settings, including the domain controllers to be monitored

the collector agent Global Ignore list

the collector agent FortiGate Group Filter for each FortiGate unit

The following client/server operating systems can be used:

Server: Microsoft Windows 2000, Microsoft Windows 2003 (32-bit and 64-bit)

Client: Microsoft Windows 2000 Professional, Microsoft Windows XP Professional

Configuring Windows AD server user groups

FortiGate units control access at the group level. All members of a group have the same network access as defined in FortiGate firewall policies. You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges. Otherwise, you need to create new user groups for this purpose.

If you change a user’s group membership, the change does not take effect until the user logs off and then logs on again.

FSAE sends only Domain Local Security Group and Global Security Group information to FortiGate units. You cannot use Distribution group types for FortiGate access. No information is sent for empty groups.

Refer to Microsoft documentation for information about creating groups.

Configuring collector agent settings

You need to configure

the Windows AD domain controllers to monitor

the Windows AD users to ignore because they do not participate in firewall authentication on any FortiGate unit

the Windows AD group information to send to each FortiGate unit

You can also alter default settings and settings you made during installation.

Fortinet Server Authentication Extension Version 1.5 Technical Note

 

01-30005-0373-20071001

9

Image 9
Contents C H N I C a L N O T E Regulatory compliance TrademarksContents Page Fsae overview Using Fsae on your networkFsae with DC agent Installing Fsae Installing Fsae on your networkFortinet Server Authentication Extension Install DC Agent Configuring Fsae on Windows ADConfiguring collector agent settings Configuring Windows AD server user groupsFortinet Server Authentication Extension Configure Fsae To configure the Fsae collector agentConfiguring the Global Ignore List Configuring FortiGate group filtersTo configure the Global Ignore List To configure a FortiGate group filter To view the FortiGate Filter ListGroups On this FortiGate unit Add Configuring TCP ports Configuring Fsae on FortiGate units Specifying your collector agentsTo specify collector agents Creating user groups Viewing information imported from the Windows AD serverCreating firewall policies To create a firewall policy for Fsae authenticationNtlm authentication Testing the configurationAllowing guests to access Fsae policies Understanding the Ntlm authentication processProxy-Authorization Ntlm negotiate string header