Below is a guide i wrote about 2 months ago when trying to integrate the Fortigate Firewall with my domain controller in order to allow me to restrict access based upon their active directory username using Organisational units etc. The ISP I used to work with to manage the fortigate firewall was Zen Internet based in Manchester, UK who are a very good ISP indeed. You can ignore the references to Zen in the guide (if there are any) and replace them with yourself/your own ISP when it comes to making changes on the firewall side.
Guide to installing Fortinet FSAE Agent on Servers:
1. Download the FSAE Agent onto the server http://bsu.zensupport.co.uk/private/cust-pckiuj/FSAE_Setup_3.0.014.exe
2. Install the FSAE Agent as normal
3. When asked for the password associated with “./Administrator” – use the password of Administrator on the server.
4. If not automatic, ensure that “Install DC Agent” has been executed (Program is in “Start -> Programs -> Forti…”.
5. Reboot the server.
6. Go to Services.msc from “Start -> Run -> Services.msc” and ensure that the “Fortinet…” service is started. If it is failing to start and giving an error message to do with invalid password, double click the service, and go to the “Logon” tab. Then choose to log on as “Local System Account“.
7. Once the service is running, the FSAE Agent is now talking to the Fortinet firewall.
8. Open up active directory users and groups and go to Security Groups, e.g. “DOMAIN.local -> MyBusiness -> Security Groups“.
9. In security groups, create 2 groups – “InternetAccessAllowed” and “InternetAccessDenied“.
10. Double click the “InternetAccessAllowed” group you just created, and go to the “Members” tab – then add all users you want to have internet access allowed to. It is best practice also to allow users such as “sage200” and other pre-made users such as those for applications access for automatic updates etc.
11. Do the same for “InternetAccessDenied“.
12. Open up the FSAE Agent by going to “Start -> All Programs -> Fortinet… -> Configure FSAE“.
13. Click on “Fortigate Group Filter” and click “Add”. Then check the box at the top called “Default Filter”. Then add the 2 groups, for example “DOMAIN/InternetAccessAllowed” and press the add button. Then click OK and OK Again.
14. Ring ISP and ask them to configure it from their end. Allow internet access to “InternetAccessAllowed” and deny internet access to “InternetAccessDenied”.