Fortinet black logo

Deployment overview

Copy Link
Copy Doc ID 1947280d-c519-11ee-8c42-fa163e15d75b:891466
Download PDF

FortiSASE secure Internet access (SIA) extends an organization’s security by enforcing common security policy for Intrusion Prevention Systems and application control, web and DNS filtering, antimalware, sandboxing, antibotnet/Command and Control to remote users.

SIA for agent-based remote users is the most typical use case, which involves installing and configuring FortiClient on supported endpoints including Windows, macOS, and Linux endpoints. The FortiSASE Administration Guide calls this use case endpoint mode. In this use case, the FortiSASE firewall as a service (FWaaS) comes between the endpoint and the Internet. Because FortiClient essentially sets up a full-tunnel SSL VPN with the FWaaS, agent-based SIA secures all Internet traffic and protocols using VPN policies. Each endpoint connects to a security PoP. You can achieve agent-based remote user authentication by configuring the authentication source as Active Directory (AD)/LDAP, RADIUS or as a SAML identity provider (SAML IdP).

You can automate initial endpoint configuration using a mobile device management (MDM) tool. End user deployment involves entering an invitation code in FortiClient and using a username and password to log in to the SIA SSL VPN tunnel to FortiSASE.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE for agent-based SIA using FortiClient for remote workers with Windows endpoints and using single-sign on (SSO) using Microsoft Entra ID (formerly known as Azure AD) via SAML as the authentication method.

Intended audience

Midlevel network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE SIA for agent-based remote users should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiClient configuration is helpful.

For comments and feedback about this document, visit the FortiSASE Basic Endpoint Deployment on community.fortinet.com.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SIA use case using agent-based FortiClient for remote users with Windows endpoints and Entra ID via SAML for remote user authentication.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

FortiSASE secure Internet access (SIA) extends an organization’s security by enforcing common security policy for Intrusion Prevention Systems and application control, web and DNS filtering, antimalware, sandboxing, antibotnet/Command and Control to remote users.

SIA for agent-based remote users is the most typical use case, which involves installing and configuring FortiClient on supported endpoints including Windows, macOS, and Linux endpoints. The FortiSASE Administration Guide calls this use case endpoint mode. In this use case, the FortiSASE firewall as a service (FWaaS) comes between the endpoint and the Internet. Because FortiClient essentially sets up a full-tunnel SSL VPN with the FWaaS, agent-based SIA secures all Internet traffic and protocols using VPN policies. Each endpoint connects to a security PoP. You can achieve agent-based remote user authentication by configuring the authentication source as Active Directory (AD)/LDAP, RADIUS or as a SAML identity provider (SAML IdP).

You can automate initial endpoint configuration using a mobile device management (MDM) tool. End user deployment involves entering an invitation code in FortiClient and using a username and password to log in to the SIA SSL VPN tunnel to FortiSASE.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE for agent-based SIA using FortiClient for remote workers with Windows endpoints and using single-sign on (SSO) using Microsoft Entra ID (formerly known as Azure AD) via SAML as the authentication method.

Intended audience

Midlevel network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE SIA for agent-based remote users should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiClient configuration is helpful.

For comments and feedback about this document, visit the FortiSASE Basic Endpoint Deployment on community.fortinet.com.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SIA use case using agent-based FortiClient for remote users with Windows endpoints and Entra ID via SAML for remote user authentication.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.