FortiAuthenticator support (CA server access)
This scenario is identical to FortiManager configured with access to FSSO CA, except that FortiAuthenticator provides additional security. In this scenario, FortiManager obtains information from FortiAuthenticator with FSSO CA, then pushes it to the managed FortiGates. The AD server communicates to the FortiAuthenticator with FSSO CA. The AD server is accessible from FortiManager.
This mode is recommended for environments where FortiManager is located physically near the CA server (and LDAP server if advanced mode is used) and latency is low.
When using this setup, it is recommended to position the FortiGate physically close to the CA server (and LDAP server when advanced mode is used) so latency is low.
FortiAuthenticator manages the connection to the LDAP server to define the FSSO groups. The FSSO groups are then filtered to the FortiGate. When using FortiAuthenticator for FSSO, the FortiGate or FortiManager is never configured to directly connect to the LDAP server to define the FSSO groups.
When there is no access to the LDAP server, if using advanced mode, configure the FSSO group filter on the CA server, or use standard mode, which does not require LDAP access.