Configure FortiClient Telemetry connections with AD user groups

Configure FortiClient Telemetry connections with AD user groups

When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:

l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections

Configure users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to User& Device > Single Sign-On.
  2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
  3. In the type field, select Fortinet Single-Sign-On Agent.

 

Telemetry connections with AD user groups

  1. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
  2. Select OK to save the agent configuration.

Create a user group:

  1. Go to User& Device > UserGroups.
  2. Select Create New in the toolbar. The New UserGroup window opens.
  3. In the type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the drop-down list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Profiles.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To drop-down list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

  1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
  2. Enter the domain information as required.
  3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect FortiClient Telemetry to FortiGate/EMS

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Configure FortiClient Telemetry connections with AD user groups

Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.

This entry was posted in FortiClient and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.