Solved

Fortigate 90D with windows active directory

Posted on 2015-02-05
4
62 Views
Last Modified: 2015-11-20
Hi all,

I have a FG-90D ( on FortiOS 5.2.2 )that i'm planning to install in the windows active directory environment ( DC is MS windows 2000 , i know due to upgrade but options are limited ) . All the interface config and static route and basic firwall policy has been applied and its working fine.

What i'm trying to achieve?
Setup the UTM in such a way that i'm able to block all the websites that is not in the whitelist for selected users or group. And give certain users or group unrestricted access to the internet using etc policy or etc.

So i need your expert advise and option.

Many thanks in advance
0
Comment
Question by:Danbrasco
  • 2
4 Comments
 
LVL 4

Expert Comment

by:Praveen Kumar Bonala
ID: 40591163
If you have limited website list to provide to access to end user you can go with your plan,
but if that white list is growing it could be head ache for you...
0
 
LVL 18

Expert Comment

by:Don S.
ID: 40591253
The key here is to correctly identify the user.  I don't know that the Fortigate will integrate with the 2000 DC to provide user authentication - so that is a problem.  Alternatively, You could setup local users in the fortigate and have everyone authenticate to the fortigate everytime they start a web browser session (I know, not good)  You also might be able to setup Radius authentication in the fortigate, but that only resolves the pain of having to enter all the users into the fortigate locally - the user would still be prompted to enter credentials to browse.  Other solutions would be to setup a separate proxy machine that does the website filtering independent of the fortigate - but that is adding a lot more complexity to the mix and in my experience is not worth it.
0
 

Author Comment

by:Danbrasco
ID: 40591499
Hi,

Praveen, email whitelist rarely changes and its been same for sometime. so i don't think it will be problem.

dons6718, i understand the limitation posed by the current setup. To keep it simple, i'm trying to avoid radius or proxy server. If SSOF is not possible, what about using just the LDAP to get the users, computers and groups list and implement restriction policy on that these objects?
I'm open to advise and opinions.


Thanks in advance
0
 
LVL 4

Accepted Solution

by:
Praveen Kumar Bonala earned 500 total points
ID: 40591670
In that case it could be ok..
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now