FSSO Question for 2 domains

Author
jcm05
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/01 07:51:13
  • Status: offline
2019/08/21 08:26:33 (permalink)
0

FSSO Question for 2 domains

I currently using explicit proxy on domain a.com with a primary FSSO agent on both domain controllers in domain a.com and everything is working fine. Now we have begun testing a new domain environment domain b.com at a remote location across an mpls circuit. Both a.com and b.com domains are trusted with each other and when I open my FSSO agent on domain a.com I can see domain b.com to monitor. I have created a new ldap server on my fortigate and I can connect to b.com domain when test connectivity. So on domain b.com do I need to install a new FSSO agent and add another agent on the fortigate or do I just install the DC agent on domain b.com and point the collectors to my FSSO agents on my current a.com domain. Im on version 5.6.8 at the moment and Im a little confused on what I need to install on domain b.com DC either the FSSO agent or just the DC agent.
#1

2 Replies Related Threads

    Fishbone_FTNT
    Gold Member
    • Total Posts : 57
    • Scores: 27
    • Reward points: 0
    • Joined: 2015/02/02 02:13:08
    • Status: offline
    Re: FSSO Question for 2 domains 2019/08/21 08:39:37 (permalink)
    0
    Hi John,
    you have two options:
    1 - simpler - install on b.com another FSSO CA - if you can. This is much easier to operate and will work well.

    2 - complex - you can, as you suggested, to point DCAgent from b.com -> ca.a.com, but in that case you need to configure specific LDAP server for b.com on ca.a.com. Besides that, you need to create correct group filter between fgt and ca. This will be tricky, since you can have only one LDAP server selected in Fortigate and in FSSO CA too.
    Luckily, for such a cases, 'config user adgrp' can be edited manually. Or you can manually edit group-filter on CA, both ways are possible.
     
    So my advice, unless you really can't, go for 1/.
     
    Fish
    #2
    jcm05
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/01 07:51:13
    • Status: offline
    Re: FSSO Question for 2 domains 2019/08/21 09:01:58 (permalink)
    0
    I beleive I should be able to go OP1 route. Son once I install the FSSO collector on the new DC b.com I also need to add that into the Single sign on agent section as another FSSO agent with ip and password I set on the FSSO agent. I was always a little confused on the single sign server as there is a primary FSSO agent and then a FSSO agent with the ability to add more thought it was more for failover but seems I might need to add the new one I install as well.
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5