Sei sulla pagina 1di 17

Fortinet Single Sign On

Module Objectives

• By the end of this module participants will be able to:


• Describe how Windows login credentials can be used to
authenticate users to the FortiGate device
• Configure Fortinet Single Sign On
Directory Services Authentication

Directory
Services
Server

Windows Novell
Active eDirectory
Directory

Kelly Miller
$d12*h1
classroom
Directory Services Authentication

• User authenticates to Directory Services


Directory
at logon Services
• Windows Active Directory Server
• Novell eDirectory
Windows Novell
• Authentication information is passed to
Active eDirectory
Directory
the FortiGate unit
• User automatically gets access to permitted
resources without any further authentication
operations
• Uses Fortinet Single Sign On (FSSO)
• Previously know as Fortinet Server
Authentication Extensions (FSAE)
Fortinet Single Sign On
• Detects logon event
• Records workstation name, domain and user FSSO
• Resolves workstation name to IP address
• Determines groups user belongs to
• Sends logon information to the FortiGate unit
• Creates a log entry on the FortiGate unit

Windows
Server

Windows
Domain
Controller

Kelly Miller
$d12*h1
classroom
Fortinet Single Sign On
• Detects logon event
• Records workstation name, domain and user FSSO
• Resolves workstation name to IP address
• Determines groups user belongs to
• Sends logon information to the FortiGate unit

• FSSO monitors which user is logged on
Creates a log entry on the FortiGate unit

to which workstation and passes


Windows
that
information to the FortiGate unit
Server

• When the user tries to access a network


resource, the FortiGate unit selects the
appropriate firewall policy Windows
Domain
• User must belong to a permitted user group
Controller
associated with that policy
Fortinet Single Sign On Components
Collector
DC
FSSO
Agent

Windows
Server

Windows
Domain
Controller
Fortinet Single Sign On Components
Collector
DC
FSSO
Agent

• Depending on the working mode


chosen for monitoring user logon
Windows
events, the following components
Server may
be installed:
• FSSO Collector Agent
• FSSO Domain Controller Agent
Windows
Domain
• Two possible working modesController
• Domain Controller Agent mode
• Polling mode
Fortinet Single Sign On Domain Controller Agent Mode

Collector
Agent

Windows
Server

DC
Agent

Windows
User
Domain
Logon
Controller
Event
Fortinet Single Sign On Domain Controller Agent Mode

• In this mode, a Domain Controller


CollectorAgent
Agent
is installed on each domain controller to
Windows
monitor user logon events Server
• A Collector Agent installed on a
DC
Window Server receives the logon Agent

event information from the DC Agent


Windows
User
Domain
and forwards it to the FortiGate unit
Logon
Controller
Event
• The FortiGate unit determines access
based on the user’s group membership
and firewall policies for the destination
Fortinet Single Sign On Polling Mode

Collector
Agent ?
Windows
Server

Windows
User
Domain
Logon
Controller
Event
Fortinet Single Sign On Polling Mode

• Polling mode does not requireCollector


a
Agent
Domain Controller Agent to be installed
on each domain controller
• A Collector Agent installed on a
Window Server will poll the domain
controller for user logon information
every few seconds and forwards it to
the FortiGate unit
Domain Controller Mode versus Polling Mode

• Polling mode
• Might not be as reliable since a poll might be missed under
heavy system traffic
• Only one component needs to be installed on one server
• FSSO in a Novell eDirectory environment works similar to
polling
• The eDirectory agent polls the eDiorectory server for user logon
information and forwards it to the FortiGate unit
• Domain Controller mode
• An agent must be installed on every domain controller in the
domain
• Each domain controller connection requires a guaranteed
64kpbs bandwidth to ensure proper FSSO functionality
Fortinet Single Sign On Using NTLM Authentication

Collector
Agent

? Windows
Server

User
Windows
Domain
Logon
NTLM negotiation
Controller
Event

Click here to read more about NTLM authentication using FSSO


Fortinet Single Sign On Using NTLM Authentication

• Fortinet Single Sign On can also


provide NTLM authentication
• The FortiGate unit will initiate an NTLM
negotiation with the client browser
• The FortiGate unit forwards the NTLM
packets to the Collector Agent for
processing
• The FortiGate unit determines access
based on the user’s group membership
and firewall policies for the destination
Click here to read more about NTLM authentication using FSSO
Labs

• Lab - Directory Service Authentication


• Installing FSSO on the Windows server
• Configuring FSSO on the FortiGate unit
• Testing FSSO authentication
Click here for step-by-step instructions on completing this lab

Click here for access the FSSO installation file


Student Resources

Click here to view the list of resources used in this


module