How it Works
Fortinet
Loading...
FSAE
User Manual
20 pgs345.23 Kb0
Table of contents
Loading...

Fortinet FSAE User Manual

TECHNICAL NOTE
Fortinet Server Authentication Extension Version 1.5
www.fortinet.com
Fortinet Server Authentication Extension Technical Note
Version 1.5 01 October 2007
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard­Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiRespon se , Fo rt iShie l d, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS

Contents

Contents
Using FSAE on your network............................................................ 5
FSAE overview................................................................................................... 5
Installing FSAE on your network ..................................................................... 7
Installing FSAE....... ... ... .... ... ............................................. ... .......................... 7
Configuring FSAE on Windows AD ................................................................. 8
Configuring Windows AD server user groups ............................................... 9
Configuring collector agent settings.............................................................. 9
To configure the FSAE collector agent..................................................10
Configuring the Global Ignore List............................................................... 11
To configure the Global Ignore List........................................................ 11
Configuring FortiGate group filters.............................................................. 11
To view the FortiGate Filter List.............................................................12
To configure a FortiGate group filter......................................................12
Configuring TCP ports................................................................................. 13
Configuring FSAE on FortiGate units............................................................ 14
Specifying your collector agents ................................................................. 14
To specify collector agents....................................................................14
Viewing information imported from the Windows AD server....................... 15
Creating user groups................................................................................... 15
To create a user group for FSAE authentication ...................................15
Creating firewall policies ............................................................................. 16
To create a firewall policy for FSAE authentication ...............................16
Allowing guests to access FSAE policies.................................................... 17
Testing the configuration........................ ... .... ... ... ... ... .... ... ... ... .... ... ... ... ........... 17
NTLM authentication............ ... ... ... .... ... ... ... .... ... ............................................. . 17
Understanding the NTLM authentication process...... ... .... ... ... ... ............17
Fortinet Server Authentication Extension Version 1.5 Technical Note 01-30005-0373-20071001 3
Contents
Fortinet Server Authentication Extension Version 1.5 Technical Note
4 01-30005-0373-20071001
Using FSAE on your network FSAE overview

Using FSAE on your network

The Fortinet Server Authentication Extension (FSAE) provides seamless authentication of Microsoft Windows Active Directory users on FortiGate units. This chapter describes how to install and configure FSAE on your Microsoft Windows network and how to configure your FortiGate unit to authenticate users using FSAE.
The following topics are included in this chapter:
FSAE overview
Installing FSAE on your network
Configuring FSAE on Windows AD
Configuring FSAE on FortiGate units
Testing the configuration
NTLM authentication

FSAE overview

On a Microsoft Windows network, users authenticate at logon. It would be inconvenient if users then had to enter another user name and p assword for network access through the FortiGate unit. FSAE provides authentication information to the FortiGate unit so that users automatically get access to permitted resources.
FortiGate units control access to resources based on user groups. Through FSAE, the Windows Active Directory (AD) groups are known to the FortiGate unit and you can include them as members of FortiGate user groups.
There are two mechanisms for passing user authentication information to the FortiGate unit:
FSAE software installed on a domain controller monitors user logons and sends the required information directly to the FortiGate unit
using the NTLM protocol, the FortiGate unit requests information from the Windows network to verify user authentication. This is used where it is not possible to install FSAE on the domain controller. The user must use the Internet Explorer (IE) browser.
FSAE has two components that you must install on your network:
The domain controller (DC) agent must be installed on every domain controller to monitor user logons and send information about them to the collector agent.
The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit.
Fortinet Server Authentication Extension Version 1.5 Technical Note 01-30005-0373-20071001 5
FSAE overview Using FSAE on your network
Figure 1: FSAE with DC agent
In Figure 1, the Client User logs on to the Windows domain, information is forwarded to the FSAE Collector agent by the FSAE agent on the domain controller , and if authentication is successful, the information is then sent via the collector agent to the FortiGate unit.
Figure 2: NTLM FSAE implementation
In Figure 2, the Client User logs on to the Windows domain. The FortiGate unit intercepts the request, and requests information about the user login details. The returned values are compared to the sto red values on the FortiGate unit that have been received from the domain controller.
Fortinet Server Authentication Extension Version 1.5 Technical Note
6 01-30005-0373-20071001
Loading...
+ 14 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use