Oct 08 2009

Configuring FSAE for Active Directory Access Control

Fortinet UTM devices let IT and security teams manage and monitor network access from inside the network.

Security at the edge of the network is typically geared toward guarding against external threats. But Fortinet’s latest generation of unified threat management (UTM) devices also provide tools for managing and monitoring network access from inside the network. Understanding how to make use of these tools can reap savings for your organization, make the network administrator’s job easier and improve your network’s overall security posture.

What FSAE Can Do

A key feature of Fortinet’s FortiGuard line of UTM appliances is its web filtering and network directory services integration. What follows are some best practices for installing and configuring the FortiGate Server Authentication Extension (FSAE) directory services integration tools on an Active Directory domain controller to enable network administrators to monitor and control employee access to Internet sites and services.

Planning the FSAE Install

FortiGate uses a server-based agent to pass directory logins and authentication information to the FortiGate unit. FSAE is a free download from the FortiGate support website. FSAE supports both Microsoft Active Directory and Novell eDirectory. FSAE has two components: a Monitoring Agent that you install on each directory controller and a Collector Agent that passes login and authentication information to the FortiGate unit.

In February 2009, Fortinet released their Version 4.0 of the FortiOS operating system that runs on FortiGate and the company’s other products. This piece relies Version 3.2 Management Release 7, Patch 6, which is still in use at many organizations. The FortiGate portion of the setup is essentially the same in the newest version.

The latest version of FSAE is 3.5.041 and is compatible with FortiOS 4.0.2 and earlier releases.  It is recommended that you use this release of the FSAE to make later migration to FortiOS 4.0 go smoothly. The FSAE installer is available from the FTP servers at support.fortinet.com and will be under the directory tree for the FortiGate OS versions.

The FSAE directory agent must be installed on each domain or directory controller. Although current technical documentation on installing and configuring FSAE from Fortinet does not mention Microsoft Windows Server 2008, the current build of FSAE is compatible with Server 2008 in both 32- and 64-bit versions. For this article, the tests of FSAE were conducted on a mixed network with a Server 2003 primary Flexible Single Master Operation role holder and a Server 2008 DC.

FSAE monitors only user groups that are in Domain Local and Global Security Groups. It will not monitor logins from users in organizational units or distribution groups. According to Fortinet Technical Assistance Center Engineer Vlad Kulik, it is recommended that you create Fortinet-specific security groups to make managing permissions and access profiles more flexible.

Installing and Configuring FSAE on Domain Controller

The first installation step is to run and install the Collector Agent from FSAE_setup.exe. The Collector Agent can run on any PC or domain controller. When first installing FSAE, it will install the Collector Agent and will then automatically launch the installer for the AD Monitoring Agent. At the first stage of the install, check the Server option if you are installing both the Collector and Monitor Agents. Select Monitor to run the Monitor Agent install alone (for example, if you are installing on additional domain controllers). It’s best to run the Collector Agent on a domain controller, even though Fortinet says you can run it on another PC.

FSAE will install a service on the domain controller; you will be asked to provide an AD user name and password for this service during the install. By default, FSAE enables both monitoring Lightweight Directory Access Protocol (LDAP) logins and NT LAN Manager. It is recommended that you accept the defaults. Next, you will be asked to select the access method to use for AD. Select the Advanced Option to set up LDAP access.

Figure 1.  Set AD Access Dialog

When the Collector Agent install is finished, the Monitoring Agent installer should kick in. Enter the Internet Protocol address of the Collector Agent PC if it is different than the AD controller on which you are installing the Monitoring Agent. Enter the trusted local domains and subnets, and complete the installation.

Once the software is installed on all the required boxes, run the Collector Agent Configuration application. Check the Require Authenticated Connection from FortiGate box and enter a password to allow FortiGate to communicate with the Collector Agent.

The next step is to set up group filtering on the Collector Agent. This will let you select which groups to monitor for logins. From the Collector Agent Configuration application, select Set Group Filters, and then Add. Use the default filter in a single FortiGate environment, and then select the Advanced button. This will display the AD tree. Place a check next to the groups you wish to monitor and authenticate.

Figure 2.  Set Collector Agent Group Filtering

Configure FSAE on FortiGate

Log in to FortiGate from the web user interface and navigate to users/remote/LDAP and choose Create New. Enter the name of an Active Directory Global Catalog server, its Fully Qualified Domain Name or IP address and leave the default port as is. In most installations, the Common Name Identifier will be “cn.” The Distinguished Name field should be the LDAP DN of the domain; for example, dn=foo,dn=local. Leave the bind type set to Simple.

Figure 3. Remote LDAP Configuration

Next, go the user/directory services screen and select Create New. Input the IP address of the computer on which the Collector Agent is running, leave the default port as is and enter the password entered for Require Authenticated Connection from FortiGate above.

Click OK and close. Wait a few seconds, and then click the refresh button next to the new listing. According to the FortiGate Technical Assistance Center, this can take a few minutes depending on the number of users. When FortiGate is receiving group information from the Collector Agent, a blue triangle will appear next to the server name. Click the triangle to view the domain tree that should now include the groups you set up in your Group Filter or the entire available domain tree if you did not set up filters.

Figure 4. Working LDAP Collector Service on the FortiGate

Last, we create user groups in the FortiGate unit from our AD monitoring. Go to user/user groups and select Create New. Give it a name and under type, select Directory Service from the drop-down menu. The list of AD groups will appear and can be added to the groups. These groups can then be used in web access policies as well as remote logins (for example, virtual private network authentication).

Configuring actual access policies — and the all-important overrides — is a subject for another tutorial. But it is important to keep in mind two pointers from FortiGate’s TAC Engineer, advises Kulik.

“Remember that permissions are determined by assigned protection profiles, so configure unique protection profiles for each group that should have a different set of permissions,” he says. Also, most organizations will want to configure a guest-access policy that gives non-domain-authenticated users limited access to the outside world.

One component of FortiGate’s marketing approach is to compare the cost of a FortiGate unit to a traditional hardware firewall/software content filter such as Websense. In the real world, FortiGate’s built-in web filtering is not nearly as granular as a standalone product such as Websense. But from a price-performance standpoint, FortiGate is sufficient for many organizations. By making use of directory services integration with FortiGate, savvy network administrators can realize much of the cost savings that FortiGate promises.