Configuring the FSSO Collector agent for Windows AD

4 Replies

Configuring FSSO ports

For FSSO to function properly a small number of TCP and UDP ports must be open through all firewalls on the network. There ports listed in this section assume the default FSSO ports are used.

 

TCP ports for FSSO agent with client computers

Windows AD records when users log on but not when they log off. For best performance, Fortinet Single Sign On Agent monitors when users log off. To do this, Fortinet Single Sign On Agent needs read-only access to each client computer’s registry over TCP port 139 or 445. Open at least one of these ports — ensure it is not blocked by firewalls.

If it is not feasible or acceptable to open TCP port 139 or 445, you can turn off Fortinet Single Sign On Agent logoff detection. To do this, set the Collector agent workstation verify interval to 0. The FSSO Collector Agent assumes that the logged on computer remains logged on for the duration of the Collector agent dead entry timeout interval — by default this is eight hours.

 

Configuring ports on the Collector agent computer

On the computer where you install the Collector agent, you must make sure that the firewall does not block the listening ports for the FortiGate unit and the DC Agent. By default, these are TCP port 8000 and UDP port 8002.

For more information about setting these ports, see Configuring FSSO Advanced Settings on page 581.

 

Configuring alternate user IP address tracking

In environments where user IP addresses change frequently, you can configure Fortinet Single Sign On Agent to use an alternate method to track user IP address changes. Using this method, Fortinet Single Sign On Agent responds more quickly to user IP address changes because it directly queries workstation IP addresses to match users and IP addresses.

This feature requires FSAE version 3.5.27 or later, Fortinet Single Sign On Agent any version, and FortiOS 3.0 MR7 or later.

To configure alternate user IP address tracking:

1. On the computer where the Collector agent is installed, go to Start > Run.

2. Enter regedit or regedt32 and select OK.

The Registry Editor opens.

3. Find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent.

4. Set the supportFSAEauth value (dword) to 00000001.

If needed, create this new dword.

5. Close the Registry Editor.

6. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet

Single Sign On Agent.

7. Select Apply.

The Fortinet Single Sign On Agent service restarts with the updated registry settings.

 

Viewing FSSO component status

It is important to know the status of both your Collector agents and DC agents.

 

Viewing Collector agent status

Use the Show Service Status to view your Collector agent information in the Status window. The Status window displays:

  • the version of the software
  • the status of the service
  • the number of connected FortiGate units
  • connected FortiGate information such as serial number, IP address, and connect time

 

To view Collector agent status:

1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet

Single Sign On Agent.

2. In the Common Tasks section, select Show Service Status.

The Fortinet Single Sign On Collector agent Status window opens.

3. Optionally select Get NTLM statistics in the Status window to display NTLM information such as number of messages received, processed, failed, in the queue.

Pages: 1 2 3 4 5 6 7
This entry was posted in FortiOS 5.4 Handbook and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Configuring the FSSO Collector agent for Windows AD

  1. Khan

    hello,
    the domain controller on which fsso agent is installed could be in any vlan forexample, fortigate firewall is vlan 60 and DC on which agent is installed in vlan 50 and intervlan routing is enables we can ping the firewall from the domain controller but in this setup of different vlan the fsso agent should work with fortigate without any problem because there is L3 communication between them. i have issue the collector agent doesn’t track the domain logon users and ipv4 policy in fortigate based on fsso agent groups is not working and i cant keep both agent and firewall in same vlan they are in different vlans but this shouldnt be an issue. please advise as i am tired of debugging and fortigate TAC is also not taking this issue serious. if anyone could help please…
    Regards

    Reply
  2. Lee

    Hi Khan

    FGT connect to FFSO agent via TCP port 8000 by default. As long as you allow traffic from vlan60 to vlan 50 with this port, the communication should be established

    You can verify server status via CLI commands

    FGT-VM-ESX-Router # diagnose debug enable
    FGT-VM-ESX-Router # diagnose debug authd fsso server-status
    FGT-VM-ESX-Router #
    Server Name Connection Status Version
    ———– —————– ——-
    FSSO connected FSAE server 1.1

    Hth

    Lee

    Reply
  3. Nuno

    Hi,

    I´m having this issue, on my fortigate de SSO Server is disconnected and on FSSO Agent there are 0 fortigate connected. I already configured the LDAP Server and it´s working . Does anyone have any idea?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.