Scribd Logo
Carica

Benvenuto in Scribd!

  • Fortinet Single SignOn

    Caricato da

    Alejandro Daricz
    201 visualizzazioni17 pagine
    Fortinet fortigate Single Sign ON FSSO

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Fortinet fortigate Single Sign ON FSSO

    Copyright:

    © All Rights Reserved
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    201 visualizzazioni17 pagine

    Fortinet Single SignOn

    Caricato da

    Alejandro Daricz
    Fortinet fortigate Single Sign ON FSSO

    Copyright:

    © All Rights Reserved
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 17

    Fortinet Single Sign On

    Module Objectives

    • By the end of this module participants will be able to:


    • Describe how Windows login credentials can be used to
    authenticate users to the FortiGate device
    • Configure Fortinet Single Sign On
    Directory Services Authentication

    Directory
    Services
    Server

    Windows Novell
    Active eDirectory
    Directory

    Kelly Miller
    $d12*h1
    classroom
    Directory Services Authentication

    • User authenticates to Directory Services


    Directory
    at logon Services
    • Windows Active Directory Server
    • Novell eDirectory
    Windows Novell
    • Authentication information is passed to
    Active eDirectory
    Directory
    the FortiGate unit
    • User automatically gets access to permitted
    resources without any further authentication
    operations
    • Uses Fortinet Single Sign On (FSSO)
    • Previously know as Fortinet Server
    Authentication Extensions (FSAE)
    Fortinet Single Sign On
    • Detects logon event
    • Records workstation name, domain and user FSSO
    • Resolves workstation name to IP address
    • Determines groups user belongs to
    • Sends logon information to the FortiGate unit
    • Creates a log entry on the FortiGate unit

    Windows
    Server

    Windows
    Domain
    Controller

    Kelly Miller
    $d12*h1
    classroom
    Fortinet Single Sign On
    • Detects logon event
    • Records workstation name, domain and user FSSO
    • Resolves workstation name to IP address
    • Determines groups user belongs to
    • Sends logon information to the FortiGate unit

    • FSSO monitors which user is logged on
    Creates a log entry on the FortiGate unit

    to which workstation and passes


    Windows
    that
    information to the FortiGate unit
    Server

    • When the user tries to access a network


    resource, the FortiGate unit selects the
    appropriate firewall policy Windows
    Domain
    • User must belong to a permitted user group
    Controller
    associated with that policy
    Fortinet Single Sign On Components
    Collector
    DC
    FSSO
    Agent

    Windows
    Server

    Windows
    Domain
    Controller
    Fortinet Single Sign On Components
    Collector
    DC
    FSSO
    Agent

    • Depending on the working mode


    chosen for monitoring user logon
    Windows
    events, the following components
    Server may
    be installed:
    • FSSO Collector Agent
    • FSSO Domain Controller Agent
    Windows
    Domain
    • Two possible working modesController
    • Domain Controller Agent mode
    • Polling mode
    Fortinet Single Sign On Domain Controller Agent Mode

    Collector
    Agent

    Windows
    Server

    DC
    Agent

    Windows
    User
    Domain
    Logon
    Controller
    Event
    Fortinet Single Sign On Domain Controller Agent Mode

    • In this mode, a Domain Controller


    CollectorAgent
    Agent
    is installed on each domain controller to
    Windows
    monitor user logon events Server
    • A Collector Agent installed on a
    DC
    Window Server receives the logon Agent

    event information from the DC Agent


    Windows
    User
    Domain
    and forwards it to the FortiGate unit
    Logon
    Controller
    Event
    • The FortiGate unit determines access
    based on the user’s group membership
    and firewall policies for the destination
    Fortinet Single Sign On Polling Mode

    Collector
    Agent ?
    Windows
    Server

    Windows
    User
    Domain
    Logon
    Controller
    Event
    Fortinet Single Sign On Polling Mode

    • Polling mode does not requireCollector


    a
    Agent
    Domain Controller Agent to be installed
    on each domain controller
    • A Collector Agent installed on a
    Window Server will poll the domain
    controller for user logon information
    every few seconds and forwards it to
    the FortiGate unit
    Domain Controller Mode versus Polling Mode

    • Polling mode
    • Might not be as reliable since a poll might be missed under
    heavy system traffic
    • Only one component needs to be installed on one server
    • FSSO in a Novell eDirectory environment works similar to
    polling
    • The eDirectory agent polls the eDiorectory server for user logon
    information and forwards it to the FortiGate unit
    • Domain Controller mode
    • An agent must be installed on every domain controller in the
    domain
    • Each domain controller connection requires a guaranteed
    64kpbs bandwidth to ensure proper FSSO functionality
    Fortinet Single Sign On Using NTLM Authentication

    Collector
    Agent

    ? Windows
    Server

    User
    Windows
    Domain
    Logon
    NTLM negotiation
    Controller
    Event

    Click here to read more about NTLM authentication using FSSO


    Fortinet Single Sign On Using NTLM Authentication

    • Fortinet Single Sign On can also


    provide NTLM authentication
    • The FortiGate unit will initiate an NTLM
    negotiation with the client browser
    • The FortiGate unit forwards the NTLM
    packets to the Collector Agent for
    processing
    • The FortiGate unit determines access
    based on the user’s group membership
    and firewall policies for the destination
    Click here to read more about NTLM authentication using FSSO
    Labs

    • Lab - Directory Service Authentication


    • Installing FSSO on the Windows server
    • Configuring FSSO on the FortiGate unit
    • Testing FSSO authentication
    Click here for step-by-step instructions on completing this lab

    Click here for access the FSSO installation file


    Student Resources

    Click here to view the list of resources used in this


    module

    Potrebbero piacerti anche