Configuring Directory Access settings

The FSSO Collector Agent can access Windows Active Directory in one of two modes:

• Standard — the FSSO Collector Agent receives group information from the Collector agent in the domain\user format. This option is available on FortiOS 3.0 and later.
• Advanced — the FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. This is option is available on FortiOS 3.0 MR6 and later. The group information is in standard LDAP format.

If you change AD access mode, you must reconfigure your group filters to ensure that the group information is in the correct format.

 

To configure Directory Access settings:

1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet

Single Sign On Agent.

2. In the Common Tasks section, select Set Directory Access Information.

The Set Directory Access Information dialog box opens.

3. From the AD access mode list, select either Standard or Advanced.

4. If you selected Advanced AD access mode, select Advanced Setting and configure the following settings and then select OK:

AD server address                    Enter the address of your network’s global catalog server.

AD server port                           The default AD server port is 3268. This must match your server port.

BaseDN                                      Enter the Base distinguished name for the global catalog. This is the point

in the tree that will be considered the starting point by default-See following example.

Username                                  If the global catalog accepts your Fortinet Single Sign On Agent agent’s cre- dentials, you can leave these fields blank. Otherwise, enter credentials for

Password

BaseDN example an account that can access the global catalog.

An example DN for Training Fortinet Canada is ou=training, ou=canada, dc=fortinet, dc=com. If you set the BaseDN to ou=canada, dc=fortinet, dc=com then when Fortinet Single Sign On Agent is looking up user credentials, it will only search the Canada organizational unit, instead of all the possible countries in the company. Its a short cut to entering less information and faster searches.

However, you may have problems if you narrow the BaseDN too much when you have international employees from the company visiting different offices. If someone from Fortinet Japan is visiting the Canada office in the example above, their account credentials will not be matched because they are in ou=japan, dc=fortinet, dc=com instead of the BaseDN ou=canada, dc=fortinet, dc=com. The easy solution is to change the BaseDN to simply be dc=fortinet, dc=com. Then any search will check all the users in the company.

 

Configuring the Ignore User List

The Ignore User List excludes users that do not authenticate to any FortiGate unit, such as system accounts. The logons of these users are not reported to FortiGate units. This reduces the amount of required resources on the FortiGate unit especially when logging logon events to memory.

 

To configure the Ignore User List:

1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet

Single Sign On Agent.

2. In the Common Tasks section, select Set Ignore User List.

The current list of ignored users is displayed:

3. Do any of the following:

• To remove a user from the list, select the the username and then select Remove. The user’s login is no longer ignored.
• To add users to be ignored,
• enter the username in the format domain\username and select Add or
• select Add Users, an Add Ignore Users window is displayed, checkmark the users you do not want to monitor, then select Add or
• select Add by OU, an Add Ignore Users by OU window is displayed, select an OU from the directory tree, then select Add. All users under the selected OU will be added to the ignore user list.

4. Select OK.