Solved

Fortigate 90D with windows active directory

Posted on 2015-02-05
4
71 Views
Last Modified: 2015-11-20
Hi all,

I have a FG-90D ( on FortiOS 5.2.2 )that i'm planning to install in the windows active directory environment ( DC is MS windows 2000 , i know due to upgrade but options are limited ) . All the interface config and static route and basic firwall policy has been applied and its working fine.

What i'm trying to achieve?
Setup the UTM in such a way that i'm able to block all the websites that is not in the whitelist for selected users or group. And give certain users or group unrestricted access to the internet using etc policy or etc.

So i need your expert advise and option.

Many thanks in advance
0
Comment
Question by:Danbrasco
  • 2
4 Comments
 
LVL 4

Expert Comment

by:Praveen Kumar Bonala
ID: 40591163
If you have limited website list to provide to access to end user you can go with your plan,
but if that white list is growing it could be head ache for you...
0
 
LVL 18

Expert Comment

by:Don S.
ID: 40591253
The key here is to correctly identify the user.  I don't know that the Fortigate will integrate with the 2000 DC to provide user authentication - so that is a problem.  Alternatively, You could setup local users in the fortigate and have everyone authenticate to the fortigate everytime they start a web browser session (I know, not good)  You also might be able to setup Radius authentication in the fortigate, but that only resolves the pain of having to enter all the users into the fortigate locally - the user would still be prompted to enter credentials to browse.  Other solutions would be to setup a separate proxy machine that does the website filtering independent of the fortigate - but that is adding a lot more complexity to the mix and in my experience is not worth it.
0
 

Author Comment

by:Danbrasco
ID: 40591499
Hi,

Praveen, email whitelist rarely changes and its been same for sometime. so i don't think it will be problem.

dons6718, i understand the limitation posed by the current setup. To keep it simple, i'm trying to avoid radius or proxy server. If SSOF is not possible, what about using just the LDAP to get the users, computers and groups list and implement restriction policy on that these objects?
I'm open to advise and opinions.


Thanks in advance
0
 
LVL 4

Accepted Solution

by:
Praveen Kumar Bonala earned 500 total points
ID: 40591670
In that case it could be ok..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question