FortiOS and FortiAuthenticator
In this scenario, FortiOS communicates to FortiAuthenticator, which has the FSSO CA installed, which in turn communicates to an AD server. This is recommended for a large AD environment.
The advantage of this scenario is the FortiAuthenticator FSSO collects login events and monitors workstations for user logouts. This supports DC agent/TS agent, syslog sources, RADIUS accounting, multiple domain environments, SAML SSO, and FortiClient Mobility agent (also known as FSSOMA). Citrix is supported when utilizing TS agent. NTLM is supported, but only for one domain. NTLM is optionally used by FortiAuthenticator to authenticate FSSOMA clients.
For environments with a large amount of users where precise user control is required, use FortiClient SSOMA and FortiAuthenticator to monitor user login/off events.