Solved

Fortigate 90D with windows active directory

Posted on 2015-02-05
4
57 Views
Last Modified: 2015-11-20
Hi all,

I have a FG-90D ( on FortiOS 5.2.2 )that i'm planning to install in the windows active directory environment ( DC is MS windows 2000 , i know due to upgrade but options are limited ) . All the interface config and static route and basic firwall policy has been applied and its working fine.

What i'm trying to achieve?
Setup the UTM in such a way that i'm able to block all the websites that is not in the whitelist for selected users or group. And give certain users or group unrestricted access to the internet using etc policy or etc.

So i need your expert advise and option.

Many thanks in advance
0
Comment
Question by:Danbrasco
  • 2
4 Comments
 
LVL 4

Expert Comment

by:Praveen Kumar Bonala
Comment Utility
If you have limited website list to provide to access to end user you can go with your plan,
but if that white list is growing it could be head ache for you...
0
 
LVL 18

Expert Comment

by:Don S.
Comment Utility
The key here is to correctly identify the user.  I don't know that the Fortigate will integrate with the 2000 DC to provide user authentication - so that is a problem.  Alternatively, You could setup local users in the fortigate and have everyone authenticate to the fortigate everytime they start a web browser session (I know, not good)  You also might be able to setup Radius authentication in the fortigate, but that only resolves the pain of having to enter all the users into the fortigate locally - the user would still be prompted to enter credentials to browse.  Other solutions would be to setup a separate proxy machine that does the website filtering independent of the fortigate - but that is adding a lot more complexity to the mix and in my experience is not worth it.
0
 

Author Comment

by:Danbrasco
Comment Utility
Hi,

Praveen, email whitelist rarely changes and its been same for sometime. so i don't think it will be problem.

dons6718, i understand the limitation posed by the current setup. To keep it simple, i'm trying to avoid radius or proxy server. If SSOF is not possible, what about using just the LDAP to get the users, computers and groups list and implement restriction policy on that these objects?
I'm open to advise and opinions.


Thanks in advance
0
 
LVL 4

Accepted Solution

by:
Praveen Kumar Bonala earned 500 total points
Comment Utility
In that case it could be ok..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now