Configuring FSAE for Active Directory Access Control

Security at the edge of the network is normally geared toward guarding against external threats. However, Fortinet’s latest generation of unified threat management (UTM) devices also provides robust tools for managing and monitoring network access from inside the network. Understanding how to make use of these tools can save businesses money and make the network administrator’s job easier.

What FSAE Can Do for You

A key feature of Fortinet’s FortiGuard line of UTM appliances is its robust web filtering and network directory services integration. This article demonstrates best practices for installing and configuring the FortiGate Server Authentication Extension (FSAE) directory services integration tools on an Active Directory domain controller to enable network administrators to monitor and control employee access to Internet sites and services.

Planning the FSAE Install

FortiGate uses a server-based agent to pass directory logins and authentication information to the FortiGate unit. The FortiGate Server Authentication Extension is a free download from the FortiGate support website. FSAE supports both Microsoft Active Directory and Novell eDirectory. The FSAE has two components, a Monitoring Agent that is installed on each directory controller and a Collector Agent that passes login and authentication information to the FortiGate unit.

In February 2009, Fortinet released their latest version (4.0) of the FortiOS operating system that runs on FortiGate and Fortinet’s other products. This tutorial will be illustrated using version 3.2 Management Release 7, Patch 6, which is still in use at many organizations. The FortiGate portion of the setup is essentially the same in v.4.0.

The latest version of FSAE is 3.5.041 and is compatible with FortiOS 4.0.2 and earlier releases.  It is recommended that you use this release of the FSAE in order to make later migration to FortiOS 4.0 go more smoothly.  The FSAE installer is available from the FTP servers at support.fortinet.com and will be under the directory tree for the FortiGate OS versions.

The FSAE directory agent will need to be installed on each domain or directory controller in the domain. Although current technical documentation on installing and configuring FSAE from Fortinet does not mention Server 2008, the current build of FSAE is compatible with Server 2008 in both 32- and 64-bit versions. For this article, FSAE was tested on a mixed network with a Server 2003 primary Flexible Single Master Operation role holder and a Server 2008 DC for this article.

FSAE monitors only user groups that are in Domain Local and Global Security Groups. It will not monitor logins from users in Organizational Units or Distribution Groups. According to Fortinet Technical Assistance Center Engineer Vlad Kulik, it is recommended that you create Fortinet Specific Security Groups in order to make managing permissions and access profiles more flexible.

Installing and Configuring FSAE on Domain Controller

The first installation step is to run and install the Collector Agent from the FSAE_Setup.exe. The Collector Agent can run on any PC or domain controller. When first installing FSAE, it will install the Collector Agent and will then automatically launch the installer for the AD Monitoring Agent.  At the first stage of the install, check the Server option if you are installing both the Collector and Monitor Agents.  Select Monitor to run the Monitor Agent install alone (for example, if you are installing on additional domain controllers). My recommendation is to run the Collector Agent on a domain controller, even though Fortinet says you can run on another PC.

FSAE will install a service on the domain controller; you will be asked to provide an AD user name and password for this service during the install. By default, FSAE enables both monitoring Lightweight Directory Access Protocol (LDAP) logins and NT Lan Manager. It is recommended that you accept the defaults. Next, you will be asked to select the access method to use for AD. Select the Advanced Option to set up LDAP access. 

Figure 1.  Set AD Access Dialog

When the Collector Agent install is finished, the Monitoring Agent installer should kick in. Enter the IP address of the Collector Agent PC if it is different than the AD controller on which you are installing the Monitoring Agent. Enter the trusted local domains and subnets, and complete the installation.

Once the software is installed on all the required boxes, run the Collector Agent Configuration application. Check the Require authenticated connection from FortiGate box and enter a password to allow FortiGate to communicate with the Collector Agent.

The next step is to set up group filtering on the Collector Agent. This allows you to select which groups to monitor for logins. From the Collector Agent Configuration application, select Set Group Filters, then Add. Use the default filter in a single FortiGate environment, then select the Advanced button. This will display the AD tree. Place a check next to the groups you wish to monitor and authenticate.

Figure 2.  Set Collector Agent Group Filtering

Configure FSAE on FortiGate

Log in to FortiGate from the web user interface and navigate to Users->Remote->LDAP and Create New. Enter the name of an Active Directory Global Catalog server, its Fully Qualified Domain Name or IP [address?] and leave the default port as is. In most installations, the Common Name Identifier will be cn. The Distinguished Name field should be the LDAP DN of the domain; for example, dn=foo,dn=local. Leave the bind type set to Simple.

Figure 3. Remote LDAP Configuration

Next, go the User->Directory Services screen and Create New. Input the IP address of the computer on which the Collector Agent is running, leave the default port as is and enter the password entered for Require authenticated connection from FortiGate above.

Click OK and close. Wait a few seconds, then click the refresh button next to the new listing. According to the FortiGate Technical Assistance Center, this can take a few minutes depending on the number of users. When FortiGate is receiving group information from the Collector Agent, a blue triangle will appear next to the server name. Click the triangle to view the domain tree that should now include the groups you set up in your Group Filter, or the entire available domain tree if you did not set up filters.

Figure 4. Working LDAP Collector Service on the FortiGate

Last, we create user groups in the FortiGate unit from our AD monitoring. Go to User-> User Groups and Create New. Give it a name and under type, select Directory Service from the drop-down menu. The list of AD groups will appear and can be added to the groups. These groups can then be used in web access policies as well as remote logins (for example, VPN authentication).

Configuring actual access policies — and the all-important overrides — is a subject for another tutorial. However, it is important to keep in mind two pointers from FortiGate’s TAC Engineer, advises Kulik.

“Remember that permissions are determined by assigned protection profile, so configure unique protection profiles for each group that should have a different set of permissions,” says Kulik.

Also, most organizations will want to configure a guest-access policy that allows non-domain authenticated users some limited access to the outside world.

One component of FortiGate’s marketing pitch is to compare the cost of a FortiGate unit against a traditional hardware firewall/software content filter such as Cisco Websense. In the real world, FortiGate’s built-in web filtering is not nearly as granular as a standalone product like Websense. However, from a price/performance standpoint, FortiGate is sufficient for many organizations. By making use of directory services integration with FortiGate, savvy network administrators can realize much of the cost savings that marketing promises.