FortiAuthenticator support (CA server inaccessible)
This scenario is identical to FortiManager configured without access to FSSO CA except that FortiAuthenticator is provides additional security. It is also similar to FortiAuthenticator support (CA server access). However, here, the CA server is not directly accessible. This scenario is common in an MSSP environment where the FortiGate is located at the customer's site. The FortiGate has access to the AD server and FortiAuthenticator with FSSO CA, while FortiManager does not. FortiManager communicates to the FortiGate.
When using FortiAuthenticator for FSSO, all LDAP group connections are done through FortiAuthenticator and filtered to the FortiGate. FortiAuthenticator acts as the centralized authentication authority for users, two-factor authentication, FSSO users, and so on, which is all filtered back to the FortiGate. FortiManager then uses the FortiGate to retrieve the filter information from the CA server. When using this setup, it is recommended to position the FortiGate physically close to the CA server to keep latency low.