Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

ZTNA AD group lookup rule improvement

ZTNA AD group lookup rule improvement

In 7.2.0, EMS performs Active Directory (AD) group lookup by default. Previously, FortiClient performed AD group lookup and sent the result to EMS. Instead of looking up the AD group for each user and/or workstation name that it receives from FortiClient, EMS can now get the member list of a group defined in a Zero Trust tagging rule and compare the user/workstation with the list to determine whether to apply a tagging rule. In cases where the user/endpoint is a member only of a subgroup or of both top and sublevel groups, EMS can now apply tags for both levels.

With this improvement, EMS can always access the AD server and can more efficiently use the AD group lookup cache. This solves the issue where an endpoint loses all AD-related tags when it goes offline. This improvement also reduces the number of group lookup calls from the number of endpoints to the number of groups defined in the tag when there is no tag defined based on AD groups.

You can still configure FortiClient to perform AD group lookup as in previous versions using Evaluate on FortiClient.

This guide describes the following scenarios:

  • EMS performs AD group lookup (default behavior).
  • Configure FortiClient to perform AD group lookup using Evaluate on FortiClient.
  • EMS tags an endpoint based on nested AD groups.
To configure EMS to perform AD group lookup:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain to EMS.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Do not enable Evaluate on FortiClient.
    6. From the AD Group dropdown list, select the desired AD group(s).
    7. Click Save.
  4. The EMS beside the User in AD Group rule type indicates that EMS performs the AD group lookup. Configure remaining fields as desired, then click Save.

  5. On an AD domain-joined endpoint, log in as an AD user that belongs to the group configured in the rule. Install and register FortiClient to EMS using the FQDN or invitation code.
  6. On the FortiClient user details pane, verify that the AD group tag displays as configured.
  7. In EMS, verify that the endpoint displays with the AD group tag in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.
To configure FortiClient to perform AD group lookup using Evaluate on FortiClient:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain to EMS.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Enable Evaluate on FortiClient. When this option is enabled, FortiClient performs AD group lookup.
    6. From the AD Group dropdown list, select the desired AD group(s).
    7. Click Save.
  4. The FCT beside the User in AD Group rule type indicates that FortiClient performs the AD group lookup. Configure remaining fields as desired, then click Save.

  5. On an AD domain-joined endpoint, log in as an AD user that belongs to the group configured in the rule. Install and register FortiClient to EMS using the FQDN or invitation code.
  6. On the FortiClient user details pane, verify that the AD group tag displays as configured.
  7. In EMS, verify that the endpoint displays with the AD group tag in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.
To tag endpoints based on nested AD groups:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain with nested groups to EMS. In this example, R&D_CA is a member of R&D_NA. John Smith is a domain user and member of R&D_CA. In this case, when an endpoint is registered as user John Smith, FortiClient displays both tags, since R&D_CA is a member of R&D_NA.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Do not enable Evaluate on FortiClient.
    6. From the AD Group dropdown list, select the top-level group. In this example, it is R&D_NA.
    7. Click Save.
  4. Configure remaining fields as desired, then click Save.

  5. Repeat steps 3 and 4 to configure a rule set for the R&D_CA subgroup. Select R&D_CA from the AD Group dropdown list when configuring this ruleset.

  6. On an AD domain-joined endpoint, log in as an AD user that belongs to the subgroup. Install and register FortiClient to EMS using the FQDN or invitation code.
  7. On the FortiClient user details pane, verify that both AD group tags display as configured.
  8. In EMS, verify that the endpoint displays with both AD group tags in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.

Previous
Next

ZTNA AD group lookup rule improvement

In 7.2.0, EMS performs Active Directory (AD) group lookup by default. Previously, FortiClient performed AD group lookup and sent the result to EMS. Instead of looking up the AD group for each user and/or workstation name that it receives from FortiClient, EMS can now get the member list of a group defined in a Zero Trust tagging rule and compare the user/workstation with the list to determine whether to apply a tagging rule. In cases where the user/endpoint is a member only of a subgroup or of both top and sublevel groups, EMS can now apply tags for both levels.

With this improvement, EMS can always access the AD server and can more efficiently use the AD group lookup cache. This solves the issue where an endpoint loses all AD-related tags when it goes offline. This improvement also reduces the number of group lookup calls from the number of endpoints to the number of groups defined in the tag when there is no tag defined based on AD groups.

You can still configure FortiClient to perform AD group lookup as in previous versions using Evaluate on FortiClient.

This guide describes the following scenarios:

  • EMS performs AD group lookup (default behavior).
  • Configure FortiClient to perform AD group lookup using Evaluate on FortiClient.
  • EMS tags an endpoint based on nested AD groups.
To configure EMS to perform AD group lookup:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain to EMS.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Do not enable Evaluate on FortiClient.
    6. From the AD Group dropdown list, select the desired AD group(s).
    7. Click Save.
  4. The EMS beside the User in AD Group rule type indicates that EMS performs the AD group lookup. Configure remaining fields as desired, then click Save.

  5. On an AD domain-joined endpoint, log in as an AD user that belongs to the group configured in the rule. Install and register FortiClient to EMS using the FQDN or invitation code.
  6. On the FortiClient user details pane, verify that the AD group tag displays as configured.
  7. In EMS, verify that the endpoint displays with the AD group tag in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.
To configure FortiClient to perform AD group lookup using Evaluate on FortiClient:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain to EMS.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Enable Evaluate on FortiClient. When this option is enabled, FortiClient performs AD group lookup.
    6. From the AD Group dropdown list, select the desired AD group(s).
    7. Click Save.
  4. The FCT beside the User in AD Group rule type indicates that FortiClient performs the AD group lookup. Configure remaining fields as desired, then click Save.

  5. On an AD domain-joined endpoint, log in as an AD user that belongs to the group configured in the rule. Install and register FortiClient to EMS using the FQDN or invitation code.
  6. On the FortiClient user details pane, verify that the AD group tag displays as configured.
  7. In EMS, verify that the endpoint displays with the AD group tag in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.
To tag endpoints based on nested AD groups:
  1. In EMS, go to Administration > Authentication Servers. Import an AD domain with nested groups to EMS. In this example, R&D_CA is a member of R&D_NA. John Smith is a domain user and member of R&D_CA. In this case, when an endpoint is registered as user John Smith, FortiClient displays both tags, since R&D_CA is a member of R&D_NA.
  2. Go to Endpoints > Manage Domains and add the authentication server as an AD domain.
  3. Create an AD Group Zero Trust tagging rule:
    1. Go to Zero Trust Tags > Zero Trust Tagging Rules.
    2. Click Add Rule.
    3. For OS, select Windows.
    4. From the Rule Type dropdown list, select User in AD Group.
    5. Do not enable Evaluate on FortiClient.
    6. From the AD Group dropdown list, select the top-level group. In this example, it is R&D_NA.
    7. Click Save.
  4. Configure remaining fields as desired, then click Save.

  5. Repeat steps 3 and 4 to configure a rule set for the R&D_CA subgroup. Select R&D_CA from the AD Group dropdown list when configuring this ruleset.

  6. On an AD domain-joined endpoint, log in as an AD user that belongs to the subgroup. Install and register FortiClient to EMS using the FQDN or invitation code.
  7. On the FortiClient user details pane, verify that both AD group tags display as configured.
  8. In EMS, verify that the endpoint displays with both AD group tags in Endpoints > All Endpoints and in Zero Trust Tags > Zero Trust Tag Monitor.

Previous
Next