Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SIA Agentless SWG Deployment Guide

    Home FortiSASE SIA Agentless SWG Deployment Guide

    Design concept and considerations

    Design concept and considerations

    Proxy configuration

    This solution's design uses FortiSASE secure web gateway agentless mode, which involves configuring and hosting a proxy autoconfiguration (PAC) file for respective endpoints to connect to the FortiSASE gateway. FortiSASE provides a preconfigured PAC file hosted on the FortiSASE server for use. You can download and customize the PAC to exclude the SSL VPN gateway and internal networks from being proxied. The customer server must host the custom PAC file.

    Once the PAC file is hosted, endpoint computers must be configured to enable the proxy server and point to the PAC file to retrieve the proxy settings. On a Windows machine, configuring proxy settings at the operating system (OS) level is recommended so that all traffic is proxied. On other OSes where there is no option to configure proxy settings at the OS level, you can configure the browser to point to the PAC file.

    To centrally manage proxy settings on endpoints, customers should consider using group policy management for Windows or other centralized management systems like mobile device management.

    User configuration

    You configure users on FortiSASE for endpoints to authenticate and connect to the FortiSASE gateway. If SAML SSO is enabled on FortiSASE, you cannot configure an LDAP or RADIUS connection. When designing the solution, consider where users are defined in your organization and use one of the following methods to integrate it with FortiSASE:

    User type

    Integration method

    LDAP
    1. Configure an LDAP connection.
    2. Import users and groups from the LDAP server to FortiSASE.

    RADIUS
    1. Configure a RADIUS connection.
    2. Import users and groups from the RADIUS server to FortiSASE.

    Single sign on (SSO)

    Configure an SSO connection, with FortiSASE as the service provider and another service, such as Azure Active Directory, as the identity provider.

    See Authentication Sources and Access for information on authentication methods.

    Caution

    SSO authentication is strongly recommended for SWG users. See Known issues for details.

    See Configuring SSO SAML users for steps on configuring SSO authentication for SWG users.
    Previous
    Next

    Design concept and considerations

    Design concept and considerations

    Proxy configuration

    This solution's design uses FortiSASE secure web gateway agentless mode, which involves configuring and hosting a proxy autoconfiguration (PAC) file for respective endpoints to connect to the FortiSASE gateway. FortiSASE provides a preconfigured PAC file hosted on the FortiSASE server for use. You can download and customize the PAC to exclude the SSL VPN gateway and internal networks from being proxied. The customer server must host the custom PAC file.

    Once the PAC file is hosted, endpoint computers must be configured to enable the proxy server and point to the PAC file to retrieve the proxy settings. On a Windows machine, configuring proxy settings at the operating system (OS) level is recommended so that all traffic is proxied. On other OSes where there is no option to configure proxy settings at the OS level, you can configure the browser to point to the PAC file.

    To centrally manage proxy settings on endpoints, customers should consider using group policy management for Windows or other centralized management systems like mobile device management.

    User configuration

    You configure users on FortiSASE for endpoints to authenticate and connect to the FortiSASE gateway. If SAML SSO is enabled on FortiSASE, you cannot configure an LDAP or RADIUS connection. When designing the solution, consider where users are defined in your organization and use one of the following methods to integrate it with FortiSASE:

    User type

    Integration method

    LDAP
    1. Configure an LDAP connection.
    2. Import users and groups from the LDAP server to FortiSASE.

    RADIUS
    1. Configure a RADIUS connection.
    2. Import users and groups from the RADIUS server to FortiSASE.

    Single sign on (SSO)

    Configure an SSO connection, with FortiSASE as the service provider and another service, such as Azure Active Directory, as the identity provider.

    See Authentication Sources and Access for information on authentication methods.

    Caution

    SSO authentication is strongly recommended for SWG users. See Known issues for details.

    See Configuring SSO SAML users for steps on configuring SSO authentication for SWG users.
    Previous
    Next