Fortinet Single Sign On

Module Objectives

• By the end of this module participants will be able to:• Describe how Windows login credentials can be used to

authenticate users to the FortiGate device

• Configure Fortinet Single Sign On

Directory Services Authentication

DirectoryServicesServer

Kelly Miller

$d12*h1

classroom

Windows ActiveDirectory

NovelleDirectory

Directory Services Authentication

DirectoryServicesServer

Windows ActiveDirectory

NovelleDirectory

•User authenticates to Directory Services at logon• Windows Active Directory• Novell eDirectory

• Authentication information is passed to the FortiGate unit• User automatically gets access to

permitted resources without any further authentication operations

•Uses Fortinet Single Sign On (FSSO)• Previously know as Fortinet Server

Authentication Extensions (FSAE)

Fortinet Single Sign On

WindowsServer

Kelly Miller

$d12*h1

classroom

FSSO

WindowsDomainController

• Detects logon event• Records workstation name, domain and user• Resolves workstation name to IP address• Determines groups user belongs to• Sends logon information to the FortiGate unit• Creates a log entry on the FortiGate unit

Fortinet Single Sign On

WindowsServer

FSSO

WindowsDomainController

• Detects logon event• Records workstation name, domain and user• Resolves workstation name to IP address• Determines groups user belongs to• Sends logon information to the FortiGate unit• Creates a log entry on the FortiGate unit• FSSO monitors which user is

logged on to which workstation and passes that information to the FortiGate unit•When the user tries to access a network resource, the FortiGate unit selects the appropriate firewall policy• User must belong to a permitted user

group associated with that policy

Fortinet Single Sign On Components

WindowsServer

WindowsDomainController

CollectorAgent

DCAgentFSSO

Fortinet Single Sign On Components

WindowsServer

WindowsDomainController

CollectorAgent

DCAgentFSSO

•Depending on the working mode chosen for monitoring user logon events, the following components may be installed:• FSSO Collector Agent• FSSO Domain Controller Agent

• Two possible working modes• Domain Controller Agent mode• Polling mode

Fortinet Single Sign On Domain Controller Agent Mode

WindowsServer

WindowsDomainController

CollectorAgent

DCAgent

UserLogonEvent

Fortinet Single Sign On Domain Controller Agent Mode

WindowsServer

WindowsDomainController

CollectorAgent

DCAgent

UserLogonEvent

• In this mode, a Domain Controller Agent is installed on each domain controller to monitor user logon events• A Collector Agent installed on a Window Server receives the logon event information from the DC Agent and forwards it to the FortiGate unit• The FortiGate unit determines access based on the user’s group membership and firewall policies for the destination

Fortinet Single Sign On Polling Mode

WindowsServer

WindowsDomainController

CollectorAgent

UserLogonEvent

??

Fortinet Single Sign On Polling Mode

CollectorAgent

• Polling mode does not require a Domain Controller Agent to be installed on each domain controller • A Collector Agent installed on a Window Server will poll the domain controller for user logon information every few seconds and forwards it to the FortiGate unit

Domain Controller Mode versus Polling Mode

• Polling mode • Might not be as reliable since a poll might be missed under

heavy system traffic

• Only one component needs to be installed on one server

• FSSO in a Novell eDirectory environment works similar to polling• The eDirectory agent polls the eDiorectory server for user logon

information and forwards it to the FortiGate unit

•Domain Controller mode• An agent must be installed on every domain controller in the

domain

• Each domain controller connection requires a guaranteed 64kpbs bandwidth to ensure proper FSSO functionality

Fortinet Single Sign On Using NTLM Authentication

WindowsServer

WindowsDomainController

CollectorAgent

UserLogonEvent

?

NTLM negotiation

Click here to read more about NTLM authentication using FSSO

Fortinet Single Sign On Using NTLM Authentication

• Fortinet Single Sign On can also provide NTLM authentication • The FortiGate unit will initiate an NTLM negotiation with the client browser• The FortiGate unit forwards the NTLM

packets to the Collector Agent for processing

• The FortiGate unit determines access based on the user’s group membership and firewall policies for the destinationClick here to read more about NTLM authentication using FSSO

Labs

• Lab - Directory Service Authentication• Installing FSSO on the Windows server• Configuring FSSO on the FortiGate unit• Testing FSSO authenticationClick here for step-by-step instructions on completing this lab

Click here for access the FSSO installation file

Student Resources

Click here to view the list of resources used in this module