FortiManager configured without access to FSSO CA
This scenario is identical to FortiOS and FSSO CA except that it also has FortiManager to manage the FortiGates. It is also similar to FortiManager configured with access to FSSO CA. However, here, FortiManager cannot directly access the CA server. This scenario is common in an MSSP environment where the FortiGate is located at the customer's site. The FortiGate has access to the AD server and FSSO CA, while FortiManager does not. FortiManager communicates to the FortiGate.
This mode is supported in FortiManager 5.4.3 and later versions.
In this scenario, if FortiManager can still access the LDAP server, it can configure a filter for advanced mode and push it to the FSSO CA server through the FortiGate. For scenarios where FortiManager does not access the LDAP server and there is a bandwidth limitation or latencies, you may consider configuring the filter on the FSSO site. In both scenarios, FortiManager uses FortiGate to retrieve the filter information from the CA server.
When using this setup, it is recommended to position the FortiGate physically close to the CA server to keep latency low.
Ensure FortiManager can access the LDAP server when advanced mode is used. FortiManager needs access to the LDAP server to define FSSO groups. When FortiManager or FortiGate does not have access to the LDAP server, if using advanced mode, configure the FSSO group filter on the CA server, or use standard mode, which does not require LDAP access.