Configuring the FSSO Collector agent for Windows AD

Configuring the FSSO Collector agent for Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units.

To avoid this problem, you can configure the Fortinet Single Sign On Collector agent to send logon information only for groups named in the FortiGate unit’s security policies. See Configuring FortiGate group filters on page 574.

 

On each server with a Collector agent, you will be

  • Configuring Windows AD server user groups
  • Configuring Collector agent settings, including the domain controllers to be monitored
  • Selecting Domain Controllers and working mode for monitoring
  • Configuring Directory Access settings
  • Configuring the Ignore User List
  • Configuring FortiGate group filters for each FortiGate unit
  • Configuring FSSO ports
  • Configuring alternate user IP address tracking
  • Viewing FSSO component status

 

Configuring Windows AD server user groups

FortiGate units control network resource access at the group level. All members of a user group have the same network access as defined in FortiGate security policies.

You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges.

Otherwise, you need to create new user groups for this purpose.

If you change a user’s group membership, the change does not take effect until the user logs off and then logs on again.

The FSSO Agent sends only Domain Local Security Group and Global Security Group information to FortiGate units. You cannot use Distribution group types for FortiGate access. No information is sent for empty groups.

Refer to Microsoft documentation for information about creating and managing Windows AD user groups.

 

Configuring Collector agent settings

You need to configure which domain controllers the Collector agent will use and which domains to monitor for user logons. You can also alter default settings and settings you made during installation. These tasks are accomplished by configuring the FSSO Collector Agent, and selecting either Apply to enable the changes. At any time to refresh the FSSO Agent settings, select Apply.

This entry was posted in FortiOS 5.4 Handbook and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Configuring the FSSO Collector agent for Windows AD

  1. Khan

    hello,
    the domain controller on which fsso agent is installed could be in any vlan forexample, fortigate firewall is vlan 60 and DC on which agent is installed in vlan 50 and intervlan routing is enables we can ping the firewall from the domain controller but in this setup of different vlan the fsso agent should work with fortigate without any problem because there is L3 communication between them. i have issue the collector agent doesn’t track the domain logon users and ipv4 policy in fortigate based on fsso agent groups is not working and i cant keep both agent and firewall in same vlan they are in different vlans but this shouldnt be an issue. please advise as i am tired of debugging and fortigate TAC is also not taking this issue serious. if anyone could help please…
    Regards

    Reply
  2. Lee

    Hi Khan

    FGT connect to FFSO agent via TCP port 8000 by default. As long as you allow traffic from vlan60 to vlan 50 with this port, the communication should be established

    You can verify server status via CLI commands

    FGT-VM-ESX-Router # diagnose debug enable
    FGT-VM-ESX-Router # diagnose debug authd fsso server-status
    FGT-VM-ESX-Router #
    Server Name Connection Status Version
    ———– —————– ——-
    FSSO connected FSAE server 1.1

    Hth

    Lee

    Reply
  3. Nuno

    Hi,

    I´m having this issue, on my fortigate de SSO Server is disconnected and on FSSO Agent there are 0 fortigate connected. I already configured the LDAP Server and it´s working . Does anyone have any idea?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.