Fortinet black logo

Handbook

Microsoft AD users

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:639404
Download PDF

Microsoft AD users

When FortiClient Telemetry connects to FortiGate, the user's AD domain name and group are sent to FortiGate. Administrators may configure FortiGate to assign Endpoint Profiles based on the end user's AD domain group membership.

The following steps are discussed in more detail:

Configuring users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configuring FortiAuthenticator

Configure FortiAuthenticator to use the AD server you created.

Configuring FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to Security Fabric > Fabric Connectors.
  2. Select Create New in the toolbar. The New Fabric Connector window opens.
  3. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  4. Enter the information required for the agent. This includes the name, primary and (optional) secondary IP addresses, and passwords. Select More FSSO agents to add up to three additional agents.
  5. For Collector Agent AD access mode, select Standard or Advanced.
    1. Standard: select Users/Groups to include as Single-Sign-On accounts.
    2. Advanced: select an LDAP server in the dropdown list.
  6. Select OK to save the agent configuration.

Create a user group:

  1. Go to User & Device > User Groups.
  2. Select Create New in the toolbar. The New User Group window opens.
  3. In the Type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the dropdown list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Compliance.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To dropdown list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

note icon

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy. Ensure Compliant with FortiClient Profile is selected in the policy.

Connecting FortiClient Telemetry to FortiGate

The Microsoft Windows system where FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain username.

Following this, endpoint connections send the logged-in user's name and domain to the FortiGate. The FortiGate will assign the appropriate profiles based on the configurations.

Monitoring FortiClient connections

The following FortiOS CLI command lists information about connected clients. This includes domain-related details for the client if any.

diagnose endpoint record-list

Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09::

FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf:

FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0

Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601)

Host_Description: AT/AT COMPATIBLE

Domain:

Last_Login_User: FortiClient_User_Name

Host_Model: Studio 1558

Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55

Enabled features: 21

online records: 0; offline records: 1

status -- none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0

Microsoft AD users

When FortiClient Telemetry connects to FortiGate, the user's AD domain name and group are sent to FortiGate. Administrators may configure FortiGate to assign Endpoint Profiles based on the end user's AD domain group membership.

The following steps are discussed in more detail:

Configuring users and groups on AD servers

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configuring FortiAuthenticator

Configure FortiAuthenticator to use the AD server you created.

Configuring FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

  1. Go to Security Fabric > Fabric Connectors.
  2. Select Create New in the toolbar. The New Fabric Connector window opens.
  3. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  4. Enter the information required for the agent. This includes the name, primary and (optional) secondary IP addresses, and passwords. Select More FSSO agents to add up to three additional agents.
  5. For Collector Agent AD access mode, select Standard or Advanced.
    1. Standard: select Users/Groups to include as Single-Sign-On accounts.
    2. Advanced: select an LDAP server in the dropdown list.
  6. Select OK to save the agent configuration.

Create a user group:

  1. Go to User & Device > User Groups.
  2. Select Create New in the toolbar. The New User Group window opens.
  3. In the Type field, select Fortinet Single-Sign-On (FSSO).
  4. Select members from the dropdown list.
  5. Select OK to save the group configuration.

Configure the FortiClient profile:

  1. Go to Security Profiles > FortiClient Compliance.
  2. Select Create New in the toolbar. The New FortiClient Profile window opens.
  3. Enter a profile name and optional comments.
  4. In the Assign Profile To dropdown list select the FSSO user group(s).
  5. Configure FortiClient configuration as required.
  6. Select OK to save the new FortiClient profile.

note icon

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy. Ensure Compliant with FortiClient Profile is selected in the policy.

Connecting FortiClient Telemetry to FortiGate

The Microsoft Windows system where FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain username.

Following this, endpoint connections send the logged-in user's name and domain to the FortiGate. The FortiGate will assign the appropriate profiles based on the configurations.

Monitoring FortiClient connections

The following FortiOS CLI command lists information about connected clients. This includes domain-related details for the client if any.

diagnose endpoint record-list

Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09::

FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf:

FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0

Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601)

Host_Description: AT/AT COMPATIBLE

Domain:

Last_Login_User: FortiClient_User_Name

Host_Model: Studio 1558

Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55

Enabled features: 21

online records: 0; offline records: 1

status -- none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked: 0