FortiManager configured with access to FSSO CA
This scenario is identical to FortiOS and FSSO CA, except that a FortiManager is also managing the FortiGates. In this scenario, FortiManager obtains information from the FSSO CA, then pushes it to the managed FortiGates. The AD server communicates to the FSSO CA. The AD server is accessible from FortiManager.
|
This mode is supported in FortiManager 5.4.0 and later versions. |
This mode is recommended for environments where FortiManager is located physically near the CA server (and LDAP server if advanced mode is used) and latency is low. In this scenario, since FortiManager is close to the LDAP server, it is better bandwidth- and performance-wise for FortiManager to poll the LDAP tree directly from the LDAP server if needed. Similarly, it is recommended that FortiManager poll groups directly from the CA server in standard mode or when LDAP is not accessible.
When using this setup, it is recommended to position the FortiGate physically close to the CA server (and LDAP server when advanced mode is used) so latency is low.
Ensure FortiManager can access the LDAP server when advanced mode is used. FortiManager needs access to the LDAP server to define FSSO groups. When FortiManager or FortiGate does not have access to the LDAP server, if using advanced mode, configure the FSSO group filter on the CA server, or use standard mode, which does not require LDAP access.