Configure FortiClient Telemetry connections with AD user groups
When FortiClient Telemetry connects to FortiGate/EMS, the user’s AD domain name and group are both sent to FortiGate/EMS. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group. The following steps are discussed in more details:
l Configure users and groups on AD servers l Configure FortiAuthenticator l Configure FortiGate/EMS l Connect FortiClient Telemetry to FortiGate/EMS l Monitor FortiClient connections
Configure users and groups on AD servers
Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.
Configure FortiAuthenticator
Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
Configure FortiGate/EMS
FortiGate
Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):
- Go to User& Device > Single Sign-On.
- Select Create New in the toolbar. The New Single Sign-On Server window opens.
- In the type field, select Fortinet Single-Sign-On Agent.
Telemetry connections with AD user groups
- Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
- Select OK to save the agent configuration.
Create a user group:
- Go to User& Device > UserGroups.
- Select Create New in the toolbar. The New UserGroup window opens.
- In the type field, select Fortinet Single-Sign-On (FSSO).
- Select members from the drop-down list.
- Select OK to save the group configuration.
Configure the FortiClient profile:
- Go to Security Profiles > FortiClient Profiles.
- Select Create New in the toolbar. The New FortiClient Profile window opens.
- Enter a profile name and optional comments.
- In the Assign Profile To drop-down list select the FSSO user group(s).
- Configure FortiClient configuration as required.
- Select OK to save the new FortiClient profile.
Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who connect successfully, but have no matching FortiClient profile.
Configure the firewall policy:
Configure the firewall policy as described in Configure firewall policies on page 35. Ensure that Compliant with FortiClient Profile is selected in the policy.
EMS
Add a new domain:
- Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
- Enter the domain information as required.
- Select Test to confirm functionality, then, if successful, select Save to add the domain.
The domain’s organizational units (OUs) will automatically be populated in the Domains section under the Endpoints heading. For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.
Connect FortiClient Telemetry to FortiGate/EMS
The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.
Configure FortiClient Telemetry connections with AD user groups
Following this, FortiClient endpoint connections will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.