Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | ashley-lamb |
View: | 214 times |
Download: | 0 times |
Fortinet Single Sign On
Module Objectives
• By the end of this module participants will be able to:• Describe how Windows login credentials can be used to
authenticate users to the FortiGate device
• Configure Fortinet Single Sign On
Directory Services Authentication
DirectoryServicesServer
Kelly Miller
$d12*h1
classroom
Windows ActiveDirectory
NovelleDirectory
Directory Services Authentication
DirectoryServicesServer
Windows ActiveDirectory
NovelleDirectory
•User authenticates to Directory Services at logon• Windows Active Directory• Novell eDirectory
• Authentication information is passed to the FortiGate unit• User automatically gets access to
permitted resources without any further authentication operations
•Uses Fortinet Single Sign On (FSSO)• Previously know as Fortinet Server
Authentication Extensions (FSAE)
Fortinet Single Sign On
WindowsServer
Kelly Miller
$d12*h1
classroom
FSSO
WindowsDomainController
• Detects logon event• Records workstation name, domain and user• Resolves workstation name to IP address• Determines groups user belongs to• Sends logon information to the FortiGate unit• Creates a log entry on the FortiGate unit
Fortinet Single Sign On
WindowsServer
FSSO
WindowsDomainController
• Detects logon event• Records workstation name, domain and user• Resolves workstation name to IP address• Determines groups user belongs to• Sends logon information to the FortiGate unit• Creates a log entry on the FortiGate unit• FSSO monitors which user is
logged on to which workstation and passes that information to the FortiGate unit•When the user tries to access a network resource, the FortiGate unit selects the appropriate firewall policy• User must belong to a permitted user
group associated with that policy
Fortinet Single Sign On Components
WindowsServer
WindowsDomainController
CollectorAgent
DCAgentFSSO
Fortinet Single Sign On Components
WindowsServer
WindowsDomainController
CollectorAgent
DCAgentFSSO
•Depending on the working mode chosen for monitoring user logon events, the following components may be installed:• FSSO Collector Agent• FSSO Domain Controller Agent
• Two possible working modes• Domain Controller Agent mode• Polling mode
Fortinet Single Sign On Domain Controller Agent Mode
WindowsServer
WindowsDomainController
CollectorAgent
DCAgent
UserLogonEvent
Fortinet Single Sign On Domain Controller Agent Mode
WindowsServer
WindowsDomainController
CollectorAgent
DCAgent
UserLogonEvent
• In this mode, a Domain Controller Agent is installed on each domain controller to monitor user logon events• A Collector Agent installed on a Window Server receives the logon event information from the DC Agent and forwards it to the FortiGate unit• The FortiGate unit determines access based on the user’s group membership and firewall policies for the destination
Fortinet Single Sign On Polling Mode
WindowsServer
WindowsDomainController
CollectorAgent
UserLogonEvent
??
Fortinet Single Sign On Polling Mode
CollectorAgent
• Polling mode does not require a Domain Controller Agent to be installed on each domain controller • A Collector Agent installed on a Window Server will poll the domain controller for user logon information every few seconds and forwards it to the FortiGate unit
Domain Controller Mode versus Polling Mode
• Polling mode • Might not be as reliable since a poll might be missed under
heavy system traffic
• Only one component needs to be installed on one server
• FSSO in a Novell eDirectory environment works similar to polling• The eDirectory agent polls the eDiorectory server for user logon
information and forwards it to the FortiGate unit
•Domain Controller mode• An agent must be installed on every domain controller in the
domain
• Each domain controller connection requires a guaranteed 64kpbs bandwidth to ensure proper FSSO functionality
Fortinet Single Sign On Using NTLM Authentication
WindowsServer
WindowsDomainController
CollectorAgent
UserLogonEvent
?
NTLM negotiation
Click here to read more about NTLM authentication using FSSO
Fortinet Single Sign On Using NTLM Authentication
• Fortinet Single Sign On can also provide NTLM authentication • The FortiGate unit will initiate an NTLM negotiation with the client browser• The FortiGate unit forwards the NTLM
packets to the Collector Agent for processing
• The FortiGate unit determines access based on the user’s group membership and firewall policies for the destinationClick here to read more about NTLM authentication using FSSO
Labs
• Lab - Directory Service Authentication• Installing FSSO on the Windows server• Configuring FSSO on the FortiGate unit• Testing FSSO authenticationClick here for step-by-step instructions on completing this lab
Click here for access the FSSO installation file
Student Resources
Click here to view the list of resources used in this module