Agent-based FSSO

Agent installation

After reading the appropriate sections of Introduction to agent-based FSSO on page 142 to determine which FSSO agents you need, you can proceed to perform the necessary installations.

Ensure you have administrative rights on the servers where you are installing FSSO agents. It is best practice to install FSSO agents using the built-in local administrator account. Optionally, you can install FSSO without an admin account. See Installing FSSO without using an administrator account on page 153.

In Windows 2008 by default, you do not have administrative user rights if you are logged on as a user other than as the built-in administrator, even if you were added to the local Administrators group on the computer.

The FSSO installer first installs the Collector agent. You can then continue with installation of the DC agent, or you can install it later by going to Start > Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent. The installer will install a DC agent on the domain controllers of all of the trusted domains in your network.

Each domain controller connection needs a minimum guaranteed 64kpbs bandwidth to ensure proper FSSO functionality.Traffic shapers configured on the FortiGate can help guarantee these minimum bandwidths.

Collector agent installation

To install FSSO, you must obtain the FSSO_Setup file from the Fortinet Support web site. This is available as either an executable (.exe) or a Microsoft Installer (.msi) file. Then you follow these two installation procedures on the server that will run the Collector agent. This can be any server or domain controller that is part of your network. These procedures also installs the DC Agent on all of the domain controllers in your network.

To install the Collector agent:

  1. Create an account with administrator privileges and a password that does not expire. See Microsoft Advanced Server documentation for help with this task.

To use a non-admin read only account, see Installing FSSO without using an administrator account on page 153.

Agent installation

  1. Log on to the account that you created in Step 1.
  2. Double-click the exe file.

The Fortinet SSO Collector Agent Setup Wizard starts.

  1. Select Next.
  2. Read and accept the license agreement. Select Next.
  3. Optionally, you can change the installation location. Select Next.
  4. Optionally, change the User Name.
  5. By default, the agent is installed using the currently running account. If you want FSSO to use another existing admin account, change the User Name using the format DomainName \ UserName. For example if the account is jsmith and the domain is example_corp you would enter example_corp\jsmith.
  6. In the Password field, enter the password for the account listed in the User Name
  7. Select Next.
  8. Enable as needed:

l Monitor user logon events and send the information to the FortiGate unit l Serve NTLM authentication requests coming from FortiGate

By default, both methods are enabled. You can change these options after installation.

  1. Select the access method to use for Windows Directory:
  2. Select Standard to use Windows domain and username credentials.
  3. Select Advanced if you will set up LDAP access to Windows Directory.

See Collector agent AD Access mode – Standard versus Advanced on page 146.

  1. Select Next and then select Install.

If you want to use DC Agent mode, ensure that Launch DC Agent Install Wizard is selected. This will start DC agent installation immediately after you select Finish.

  1. Select Finish.

If you see an error such as Service Fortinet Single Sign On agent (service_FSAE) failed to start, there are two possible reasons for this. Verify the user account you selected has sufficient privileges to run the FSSO service. Also verify the computer system you are attempting to install on is a supported operating system and version.

DC agent installation

The FSSO_Setup file contains both the Collector agent and DC Agent installers, but the DC Agent installer is also available separately as either a .exe or .msi file named DCAgent_Setup.

To install the DC Agent

  1. If you have just installed the Collector agent, the FSSO – Install DC Agent wizard starts automatically. Otherwise, go to Start > Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent.
  2. Select Next.
  3. Read and accept the license agreement. Select Next.
  4. Optionally, you can change the installation location. Select Next.
  5. Enter the Collector agent IP address.
  6. If the Collector agent computer has multiple network interfaces, ensure that the one that is listed is on your network. The listed Collector agent listening port is the default. Only change this if the port is already used by another service.
  7. Select Next.
  8. Select the domains to monitor and select Next.
  9. If any of your required domains are not listed, cancel the wizard and set up the proper trusted relationship with the domain controller. Then run the wizard again by going to Start > Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent.
  10. Optionally, select users that you do not want monitored. These users will not be able to authenticate to FortiGate units using FSSO. You can also do this later. See Configuring the FSSO Collector agent for Windows AD on page 156.
  11. Select Next.
  12. Optionally, clear the check boxes of domain controllers on which you do not want to install the DC Agent.
  13. Select the Working Mode as DC Agent Mode. While you can select Polling Mode here, in that situation you would not be installing a DC Agent. For more information, see DC Agent mode on page 145 and Polling mode on page 146.
  14. Select Next.
  15. Select Yes when the wizard requests that you reboot the computer.

If you want to create a redundant configuration, repeat the Collector agent installation procedure on at least one other Windows AD server.

When you start to install a second Collector agent, cancel the Install Wizard dialog appears the second time. From the configuration GUI, the monitored domain controller list will show your domain controllers un-selected. Select the ones you wish to monitor with this Collector agent, and select Apply.

Before you can use FSSO, you need to configure it on both Windows AD and on the FortiGate units. Configuring FSSO on FortiGate units on page 175 will help you accomplish these two tasks.

Installing FSSO without using an administrator account

Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD.

Windows 2003

There are two methods in Windows 2003 AD for installing FSSO without an admin account — add the non-admin user to the security log list, and use a non-admin account with read-only permissions. A problem with the first method is that full rights (read, write, and clear) are provided to the event log. This can be a problem when audits Agent installation

require limited or no write access to logs. In those situations, the non-admin account with read-only permissions is the solution.

To add the non-admin user account to the Windows 2003 security log list :

  1. Go to Default Domain Controller Security Settings > Security Settings > User Rights Assignment > Manage auditing and security log.
  2. Add the user account to this list.
  3. Repeat these steps on every domain controller in Windows 2003 AD. A reboot is required.

To use a non-admin account with read-only permissions to install FSSO on Windows 2003:

The following procedure provides the user account specified with read only access to the Windows 2003 AD Domain Controller Security Event Log which allows FSSO to function.

  1. Find out the SID of the account you intend to use.

Tools for this can be downloaded for free from http://technet.microsoft.com/en-us/sysinternals/bb897417.

  1. Then create the permission string. For example:

l (A;;0x1;;;S-1-5-21-4136056096-764329382-1249792191-1107) l A means Allow, l 0x1 means Read, and l S-1-5-21-4136056096-764329382-1249792191-1107 is the SID.

  1. Then, append it to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD

  1. Repeat these steps on every domain controller in Windows 2003 AD. A reboot is required.

Windows 2008

In Windows 2008 AD, if you do not want to use the Domain Admin account then the user account that starts the FSSO agent needs to be added to the Event Log Readers group.

When the user is added to the Event Log Readers group, that user is now allowed to have read only access to the event log and this is the minimal rights required for FSSO to work.

Citrix TS agent installation

To install the Citrix TS agent, you must obtain the TSAgent_Setup file from the Fortinet Support web site.

Perform the following installation procedure on the Citrix server.

To install the FSSO TS agent:

  1. On the Citrix server, create an account with administrator privileges and a password that does not expire. See Citrix documentation for more information.
  2. Log on to the account that you created in step 1.
  3. Double-click the TSAgent_Setup installation file.

The Fortinet SSO Terminal Server Agent Setup Wizard starts.

  1. Select Next.
  2. Read and accept the license agreement. Select Next.
  3. Optionally, you can change the installation location. Select Next.
  4. Verify that This Host IP Address is correct.
  5. In the FSSO Collector Agent List, enter the IP address(es) of your Collector Agents.
  6. Select Next and then select Install. The TS agent is installed.
  7. Select Finish.

Novell eDirectory agent installation

To install the eDirectory agent, you must obtain the FSSO_Setup_eDirectory file from the Fortinet Support web site. Perform the following installation procedure on the computer that will run the eDirectory agent. This can be any server or domain controller that is part of your network. You will need to provide some setup information.

To install the FSSO eDirectory agent:

  1. Create an account with administrator privileges and a password that does not expire. See Novell documentation for more information.
  2. Log on to the account that you created in step 1.
  3. Double-click the FSSO_Setup_edirectory file to start the installation wizard.
  4. Select Next.
  5. Read and accept the license agreement. Select Next.
  6. Optionally, change the installation location. Select Next.
  7. Enter:
eDirectory Server
Server Address Enter the IP address of the eDirectory server.
Use secure connection (SSL) Select to connect to the eDirectory server using SSL security.
Search Base DN Enter the base Distinguished Name for the user search.
eDirectory Authentication
Username Enter a username that has access to the eDirectory, using LDAP format.
User password Enter the password.
  1. Select Next.
  2. Select Install. When the installation completes, select Finish.

Updating FSSO agents on Windows AD

After FSSO is installed on your network, you may want to upgrade to a newer version. The following procedure helps ensure you have a trouble free upgrade. How you update FSSO depends on if you are using polling mode or DCAgent mode.

For polling mode, since there are no DC agents you only need to upgrade the Collector. However in DCAgent mode, each DC Agent must be updated as well.

 

To update FSSO in DC Agent mode:

  1. Go to the system32 directory on all DC’s and rename the dll file to dcagent.dll.old.

This ensures the when the upgrade is pushed to the DC it does not overwrite the old file. If there are any problems this makes it easy to revert to the old version.

  1. Run the FSSO setup .exe file to update the collector. When this is completed, ignore any reboot message.
  2. Go to Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent and push the DC agent out to all servers. All DC’s will now need to be rebooted so that the new DLL file is loaded.
  3. After the reboot, go to all DC’s and delete the dll.old files.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Agent-based FSSO

  1. Stewart Myles

    Thanks I find your site useful, I have followed these instructions and we have a issue where users are not detected by the Fortinet agent if they move from wireless to LAN and vice versa, also if user come out of sleep mode they won’t have any internet, any ideas were to look?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.