Version:


Table of Contents

23.1.8
Download PDF
Copy Link

Deployment overview

FortiSASE secure Internet access (SIA) extends an organization’s security by enforcing common security policy for Intrusion Prevention Systems (IPS) and application control, web and DNS filtering, antimalware, sandboxing, antibotnet/Command and Control to remote users.

SIA for agent-based remote users is the most typical use case, which involves installing and configuring FortiClient on supported endpoints including Windows, macOS, and Linux endpoints. The FortiSASE Administration Guide calls this use case endpoint mode. In this use case, the FortiSASE firewall as a service (FWaaS) comes between the endpoint and the Internet. Because FortiClient essentially sets up a full-tunnel SSL VPN with the FWaaS, agent-based SIA secures all Internet traffic and protocols using VPN policies. Each endpoint connects to a security PoP. Agent-based remote user authentication can be achieved by configuring the authentication source as either Active Directory / LDAP, RADIUS or as a SAML Identity Provider (SAML IdP).

Initial configuration of endpoints can be automated using a mobile device management (MDM) tool. End user deployment involves entering an invitation code into FortiClient and then using a username and password to log into the Secure Internet Access SSL VPN tunnel to FortiSASE.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE for agent-based secure Internet access using FortiClient for remote workers with Windows endpoints and using single-sign on (SSO) using Azure Active Directory (AD) via SAML as the authentication method.

Intended audience

Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE Secure Internet Access for agent-based remote users should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiClient configuration is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SIA use case using agent-based FortiClient for remote users with Windows endpoints and Azure AD via SAML for remote user authentication.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

FortiSASE secure Internet access (SIA) extends an organization’s security by enforcing common security policy for Intrusion Prevention Systems (IPS) and application control, web and DNS filtering, antimalware, sandboxing, antibotnet/Command and Control to remote users.

SIA for agent-based remote users is the most typical use case, which involves installing and configuring FortiClient on supported endpoints including Windows, macOS, and Linux endpoints. The FortiSASE Administration Guide calls this use case endpoint mode. In this use case, the FortiSASE firewall as a service (FWaaS) comes between the endpoint and the Internet. Because FortiClient essentially sets up a full-tunnel SSL VPN with the FWaaS, agent-based SIA secures all Internet traffic and protocols using VPN policies. Each endpoint connects to a security PoP. Agent-based remote user authentication can be achieved by configuring the authentication source as either Active Directory / LDAP, RADIUS or as a SAML Identity Provider (SAML IdP).

Initial configuration of endpoints can be automated using a mobile device management (MDM) tool. End user deployment involves entering an invitation code into FortiClient and then using a username and password to log into the Secure Internet Access SSL VPN tunnel to FortiSASE.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure FortiSASE for agent-based secure Internet access using FortiClient for remote workers with Windows endpoints and using single-sign on (SSO) using Azure Active Directory (AD) via SAML as the authentication method.

Intended audience

Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE Secure Internet Access for agent-based remote users should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiClient configuration is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SIA use case using agent-based FortiClient for remote users with Windows endpoints and Azure AD via SAML for remote user authentication.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.