• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 103
  • Last Modified:

Fortigate 90D with windows active directory

Hi all,

I have a FG-90D ( on FortiOS 5.2.2 )that i'm planning to install in the windows active directory environment ( DC is MS windows 2000 , i know due to upgrade but options are limited ) . All the interface config and static route and basic firwall policy has been applied and its working fine.

What i'm trying to achieve?
Setup the UTM in such a way that i'm able to block all the websites that is not in the whitelist for selected users or group. And give certain users or group unrestricted access to the internet using etc policy or etc.

So i need your expert advise and option.

Many thanks in advance
0
Danbrasco
Asked:
Danbrasco
  • 2
1 Solution
 
Praveen Kumar BonalaProgrammer AnalystCommented:
If you have limited website list to provide to access to end user you can go with your plan,
but if that white list is growing it could be head ache for you...
0
 
Don S.Commented:
The key here is to correctly identify the user.  I don't know that the Fortigate will integrate with the 2000 DC to provide user authentication - so that is a problem.  Alternatively, You could setup local users in the fortigate and have everyone authenticate to the fortigate everytime they start a web browser session (I know, not good)  You also might be able to setup Radius authentication in the fortigate, but that only resolves the pain of having to enter all the users into the fortigate locally - the user would still be prompted to enter credentials to browse.  Other solutions would be to setup a separate proxy machine that does the website filtering independent of the fortigate - but that is adding a lot more complexity to the mix and in my experience is not worth it.
0
 
DanbrascoAuthor Commented:
Hi,

Praveen, email whitelist rarely changes and its been same for sometime. so i don't think it will be problem.

dons6718, i understand the limitation posed by the current setup. To keep it simple, i'm trying to avoid radius or proxy server. If SSOF is not possible, what about using just the LDAP to get the users, computers and groups list and implement restriction policy on that these objects?
I'm open to advise and opinions.


Thanks in advance
0
 
Praveen Kumar BonalaProgrammer AnalystCommented:
In that case it could be ok..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now