FortiOS and FSSO CA
In this scenario, the AD server communicates with a Windows machine that has FSSO CA installed, which in turn communicates with a FortiGate. This scenario is recommended for a large AD environment.
The advantage of this scenario is the FSSO CA machine uses its own resources to collect login events and to monitor workstations for user logouts. This scenario supports TS, Citrix, RADIUS accounting, NTLM, and multiple domain environments. The disadvantage of this scenario is that in very large workstation environments or in environments with significant latencies, it may take too long to query workstations, which may delay logon collections and logoff detection.
For AD environments, it is recommended to preconfigure the filter on the CA server. This reduces the amount of data exchanged between the FortiGate and the CA server. It is not recommended to mix the filters configured on the CA site and on the FortiGate.
The CA server should have sufficient resources (memory and CPU) to accommodate user logins and workstation monitoring. The amount of resources necessary depends on the name, size, and number of monitoring groups for login events. It also depends on the workstations' response latency and network environment specifics for workstation monitoring.
To increase performance for an environment where bursts of login events are expected to be frequent (more than 1500 users at the same time), enable logon cache. The CA will query its own cache to find the user's group membership instead of querying the AD server.
Disable monitoring workstations with large numbers of active users. When workstation monitoring is enabled, the CA server queries each workstation to check if the user is still logged in. Depending on the number of workstations and their latency, the CA server may be delayed when obtaining user logoffs. Depending on the company policy, these delays may be long enough to render the detection useless, making it more efficient to disable monitoring workstations.