Fortinet black logo

SIA Agent-based Deployment Guide

Home FortiSASE SIA Agent-based Deployment Guide

Design concept and considerations

Copy Link
Copy Doc ID 1947280d-c519-11ee-8c42-fa163e15d75b:347150
Download PDF

Design concept and considerations

Authentication Sources and Access

In Configuration > Authentication Sources and > Access headings, you can control network access for different users and devices in your network.

FortiSASE authentication controls system access by user group. By assigning individual users to the appropriate user groups, you can control each user’s access to network resources. You can define local users and remote users in FortiSASE. You can also integrate user accounts on remote authentication servers and connect them to FortiSASE.

You can configure FortiSASE authentication as follows:

  • Use Configuration > Users to define remote users, create/edit new user groups, and define local users
  • Use Configuration > LDAP, Configuration > RADIUS, and Configuration > VPN User SSO to define LDAP, RADIUS, and SSO via SAML IdP authentication sources, respectively

The authentication method that you decide to configure with your FortiSASE SIA agent-based deployment depends on a variety of factors including having an existing authentication source from an existing deployment to migrate from, designing a new architecture with a new authentication source, and selecting an authentication source and method keeping in mind any onboarding or usability advantages for your remote users.

This deployment guide outlines how to configure single sign-on (SSO) using Microsoft Entra ID via SAML. For configuring other authentication sources, see Authentication Sources and Access.

Deploying FortiClient on endpoints

The Onboard Users button, which is available from the Remote User Management widget on the Status dashboard, allows you to send an email to users to invite them to FortiSASE.

Remote users can download and install FortiClient on their own and register their FortiClient to FortiSASE Endpoint Management Service by using the instructions in the invitation email. You must still provision users via one of the aforementioned authentication sources and methods to give them access to VPN and other FortiSASE resources. The deployment guide describes how to deploy FortiClient on endpoints using this approach.

Alternatively, you can onboard users by automating the configuration of initial FortiClient settings by either using a mobile device management (MDM) tool or using FortiSASE Endpoint Management Service.

Previous
Next

Design concept and considerations

Authentication Sources and Access

In Configuration > Authentication Sources and > Access headings, you can control network access for different users and devices in your network.

FortiSASE authentication controls system access by user group. By assigning individual users to the appropriate user groups, you can control each user’s access to network resources. You can define local users and remote users in FortiSASE. You can also integrate user accounts on remote authentication servers and connect them to FortiSASE.

You can configure FortiSASE authentication as follows:

  • Use Configuration > Users to define remote users, create/edit new user groups, and define local users
  • Use Configuration > LDAP, Configuration > RADIUS, and Configuration > VPN User SSO to define LDAP, RADIUS, and SSO via SAML IdP authentication sources, respectively

The authentication method that you decide to configure with your FortiSASE SIA agent-based deployment depends on a variety of factors including having an existing authentication source from an existing deployment to migrate from, designing a new architecture with a new authentication source, and selecting an authentication source and method keeping in mind any onboarding or usability advantages for your remote users.

This deployment guide outlines how to configure single sign-on (SSO) using Microsoft Entra ID via SAML. For configuring other authentication sources, see Authentication Sources and Access.

Deploying FortiClient on endpoints

The Onboard Users button, which is available from the Remote User Management widget on the Status dashboard, allows you to send an email to users to invite them to FortiSASE.

Remote users can download and install FortiClient on their own and register their FortiClient to FortiSASE Endpoint Management Service by using the instructions in the invitation email. You must still provision users via one of the aforementioned authentication sources and methods to give them access to VPN and other FortiSASE resources. The deployment guide describes how to deploy FortiClient on endpoints using this approach.

Alternatively, you can onboard users by automating the configuration of initial FortiClient settings by either using a mobile device management (MDM) tool or using FortiSASE Endpoint Management Service.

Previous
Next