FSSO Issue " Some users didn't reach internet "

Author
foxlet
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/03 01:50:14
  • Status: offline
2020/06/03 05:25:05 (permalink)
0

FSSO Issue " Some users didn't reach internet "

Good day dears, 
 
I have recently deployed FSSO in my environment.
 
I have FSSO agent installed on DC , Status Running and perfect.
I have FSSO Fabric Connector up and running.
I have FFSO Login Logs from Users.
I have FFSO IPV4 Policy to rout the AD Group working.
 
Many Domain users managed to reach internet through that Ipv4 policy and everything is fine with them, except few other users including me :D ! my machine is domain joined and my account is fine, yet i could not reach internet, neither did few other users.
 
What could be the problem ?
#1
xsilver
Expert Member
  • Total Posts : 509
  • Scores: 129
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: FSSO Issue " Some users didn't reach internet " 2020/06/04 10:33:57 (permalink)
0
I'd start from user to FGT .. 
1. when you login to windows, is your logon caught by FSSO and reported to FGT ?
2. no? then what's the mode .. polling DCs or DCAgents installed ?
3. DCAgents .. on ALL DCs ? so echo %logonserver% on workstation shows the DC chosen to verify your creds and that DC is monitored by DCAgent (or polled) ?
 
Usual problems are:
- DC used by WKS (logonserver) not monitored
- user's group membership not matching with group filters
- Collector Agent running in Standard mode but FGT set with LDAP server and so Group Filters are not in compatible format (FGT push LDAP format, while Collector in standard uses MSFT group format, in advanced mode it uses LDAP format and so IS compatible with FGT config. Alt. is to have FGT configured WITHOUT LDAP in FSSO connector and so getting groups from Collector in whatever form. However when you switch then check also groups on FGT as they might not match as change breaks the bonds between 'config user group' and 'config user adgrp' records.)
- users might also be on Ignore List

Kind Regards,
Tomas
#2
Jump to:
© 2020 APG vNext Commercial Version 5.5