Agent-based FSSO

Configuring the FSSO Collector agent for Windows AD

On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.

Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units.

To avoid this problem, you can configure the Fortinet Single Sign On Collector agent to send logon information only for groups named in the FortiGate unit’s security policies. See Configuring FortiGate group filters on page 163.

On each server with a Collector agent, you will be l Configuring Windows AD server user groups l Configuring Collector agent settings, including the domain controllers to be monitored l Selecting Domain Controllers and working mode for monitoring l Configuring Directory Access settings l Configuring the Ignore User List l Configuring FortiGate group filters for each FortiGate unit l Configuring FSSO ports l Configuring alternate user IP address tracking l Viewing FSSO component status

Configuring Windows AD server user groups

FortiGate units control network resource access at the group level. All members of a user group have the same network access as defined in FortiGate security policies.

You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges.

Otherwise, you need to create new user groups for this purpose.

The FSSO Agent sends only Domain Local Security Group and Global Security Group information to FortiGate units. You cannot use Distribution group types for FortiGate access. No information is sent for empty groups.

Refer to Microsoft documentation for information about creating and managing Windows AD user groups.

Configuring Collector agent settings

You need to configure which domain controllers the Collector agent will use and which domains to monitor for user logons. You can also alter default settings and settings you made during installation. These tasks are accomplished by configuring the FSSO Collector Agent, and selecting either Apply to enable the changes.

At any time to refresh the FSSO Agent settings, select Apply.

To configure the Collector agent:

  1. From the Start menu, select Programs > Fortinet > Fortinet Single Sign-On Agent > Configure Fortinet Single Sign-On Agent.
  2. Enter the following information.
Monitoring user logon events By default, this is enabled to automatically authenticate users as they log on to the Windows domain. Disable the Monitor feature only if you have a large network where this feature will slow responses too much.

 

Support NTLM authentication By default, this is enabled to facilitate logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons.
Collector Agent Status Shows RUNNING when Collector agent is active.
Listening ports You can change FSSO Collector Agent related port numbers if necessary.
FortiGate TCP port for FortiGate units. Default 8000.
DC Agent UDP port for DC Agents. Default 8002.
Logging
Log level Select the minimum severity level of logged messages.
Log file size limit (MB) Enter the maximum size for the log file in MB. Default is 10.
View Log View all Fortinet Single Sign On agent logs.
Log logon events in separate logs Record user login-related information separately from other logs. The information in this log includes:

l data received from DC agents l user logon/logoff information l workstation IP change information l data sent to FortiGate units

View Logon Events If Log logon events in separate logs is enabled, you can view user login-related information.
Authentication
Require authenticated connection from FortiGate Select to require the FortiGate unit to authenticate before connecting to the Collector agent.
Password Enter the password that FortiGate units must use to authenticate. The maximum password length is 16 characters. The default password is “fortinetcanada”. It is highly recommended to modify this password.
Timers

 

Workstation verify interval (minutes) Enter the interval in minutes at which the Fortinet Single Sign On Collector agent connects to client computers to determine whether the user is still logged on. The default is every 5 minutes. The interval may be increased if your network has too much traffic.

Note: This verification process creates security log entries on the client computer.

If ports 139 or 445 cannot be opened on your network, set the interval to 0 to prevent checking. See Configuring FSSO ports on page 164.

Dead entry timeout

interval

Enter the interval in minutes after which Fortinet Single Sign On Agent purges information for user logons that it cannot verify. The default is 480 minutes (8 hours).

Dead entries usually occur because the computer is unreachable (such as in standby mode or disconnected) but the user has not logged off. A common reason for this is when users forget to logoff before leaving the office for the day.

You can also prevent dead entry checking by setting the interval to 0.

IP address change

verify interval

Fortinet Single Sign On Agent periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change. IP address verification prevents users from being locked out if they change IP addresses, as may happen with DHCP assigned addresses.

Enter the verification interval in seconds. The default is 60 seconds. You can enter 0 to prevent IP address checking if you use static IP addresses.

This does not apply to users authenticated through NTLM.

Cache user group lookup

result

Enable caching.

Caching can reduce group lookups and increase performance.

Cache expire in (minutes) Fortinet Single Sign On Agent caches group information for logged-in users.

Enter the duration in minutes after which the cache entry expires. If you enter 0, the cache never expires.

A long cache expire interval may result in more stale user group information. This can be an issue when a user’s group information is changed.

Clear Group Cache Clear group information of logged-in users.

This affects all logged-in users, and may force them to re-logon.

  1. You can select Save&Close now or leave the agent configuration window open to complete additional configuration in the following sections.

To view the version and build number information for your FSSO Collector Agent configuration, selecting the Fortinet icon in the upper left corner of the Collector agent Configuration screen and select About Fortinet Single Sign On Agent configuration.

Selecting Domain Controllers and working mode for monitoring

You can change which DC agents are monitored or change the working mode for logon event monitoring between DC agent mode and polling mode.

When polling mode is selected, it will poll port 445 of the domain controller every few seconds to see who is logged on.

  1. From the Start menu select Programs > Fortinet Fortinet Single Sign-On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Show Monitored DCs.
  3. Select Select DC to Monitor.
  4. Choose the Working Mode:
    • DC Agent mode — a Domain Controller agent monitors user logon events and passes the information to the Collector agent. This provides reliable user logon information, however you must install a DC agent on every domain controller in the domain.
    • Polling mode — the Collector agent polls each domain controller for user logon information. Under heavy system load this might provide information less reliably. However installing a DC agent on each domain controller is not required in this mode.
  5. You also need to choose the method used to retrieve logon information: l Poll logon sessions using Windows NetAPI l Check Windows Security Event Logs
    • Check Windows Security Event Logs using WMI

For more information about these options, see Polling mode on page 146.

  1. Select OK.
  2. Select Close.
  3. Select Save & Close.

Configuring Directory Access settings

The FSSO Collector Agent can access Windows Active Directory in one of two modes:

  • Standard — the FSSO Collector Agent receives group information from the Collector agent in the domain\user This option is available on FortiOS 3.0 and later.
  • Advanced — the FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. This is option is available on FortiOS 3.0 MR6 and later. The group information is in standard LDAP format.

To configure Directory Access settings:

  1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Set Directory Access Information. The Set Directory Access Information dialog box opens.
  3. From the AD access mode list, select either Standard or Advanced.
  4. If you selected Advanced AD access mode, select Advanced Setting and configure the following settings and then select OK:
AD server address Enter the address of your network’s global catalog server.
AD server port The default AD server port is 3268. This must match your server port.
BaseDN Enter the Base distinguished name for the global catalog. This is the point in the tree that will be considered the starting point by default-See following example.
Username If the global catalog accepts your Fortinet Single Sign On Agent agent’s credentials, you can leave these fields blank. Otherwise, enter credentials for an account that can access the global catalog.
Password

BaseDN example

An example DN for Training Fortinet Canada is ou=training, ou=canada, dc=fortinet, dc=com. If you set the BaseDN to ou=canada, dc=fortinet, dc=com then when Fortinet Single Sign On Agent is

looking up user credentials, it will only search the Canada organizational unit, instead of all the possible countries in the company. Its a short cut to entering less information and faster searches.

However, you may have problems if you narrow the BaseDN too much when you have international employees from the company visiting different offices. If someone from Fortinet Japan is visiting the Canada office in the example above, their account credentials will not be matched because they are in ou=japan,

dc=fortinet, dc=com instead of the BaseDN ou=canada, dc=fortinet, dc=com. The easy solution is to change the BaseDN to simply be dc=fortinet, dc=com. Then any search will check all the users in the company.

Configuring the Ignore User List

The Ignore User List excludes users that do not authenticate to any FortiGate unit, such as system accounts. The logons of these users are not reported to FortiGate units. This reduces the amount of required resources on the FortiGate unit especially when logging logon events to memory.

To configure the Ignore User List:

  1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Set Ignore User List. The current list of ignored users is displayed:
  3. Do any of the following:
    • To remove a user from the list, select the the username and then select Remove. The user’s login is no longer ignored.
    • To add users to be ignored, l enter the username in the format domain\username and select Add or l select Add Users, an Add Ignore Users window is displayed, checkmark the users you do not want to monitor, then select Add or
    • select Add by OU, an Add Ignore Users by OU window is displayed, select an OU from the directory tree, then select Add. All users under the selected OU will be added to the ignore user list.
  4. Select OK.

Configuring FortiGate group filters

FortiGate group filters actively control which user logon information is sent to each FortiGate unit. You need to configure the group filter list so that each FortiGate unit receives the correct user logon information for the user groups that are named in its security policies. These group filters help limit the traffic sent to the FortiGate unit, and help limit the logon events logged.

The maximum number of Windows AD user groups allowed on a FortiGate depends on the model. Low end models support 256 Windows AD user groups, where mid and high end models support 1024 groups. This is per VDOM if VDOMs are enabled on the FortiGate unit.

You do not need to configure a group filter on the Collector agent if the FortiGate unit retrieves group information from Windows AD using LDAP. In that case, the Collector agent uses the list of groups you selected on the FortiGate unit as its group filter.

The filter list is initially empty. You need to configure filters for your FortiGate units using the Add function. At a minimum, create a default filter that applies to all FortiGate units without a defined filter.

If no filter is defined for a FortiGate unit and there is no default filter, the Collector agent sends all Windows AD group and user logon events to the FortiGate unit. While this normally is not a problem, limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list and resulting logs.

To configure a FortiGate group filter:

  1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Set Group Filters.

The FortiGate Filter List opens. It has the following columns:

FortiGate SN The serial number of the FortiGate unit to which this filter applies.
Description An optional description of the role of this FortiGate unit.
Monitored Groups The Windows AD user groups that are relevant to the security policies on this FortiGate unit.
Add Create a new filter.
Edit Modify the filter selected in the list.
Remove Remove the filter selected in the list.
OK Save the filter list and exit.
Cancel Cancel changes and exit.
  1. Select Add to create a new filter. If you want to modify an existing filter, select it in the list and then select Edit.
  2. Enter the following information and then select OK.
Default filter Select to create the default filter. The default filter applies to any FortiGate unit that does not have a specific filter defined in the list.
FortiGate Serial Number Enter the serial number of the FortiGate unit to which this filter applies. This field is not available if Default is selected.
Description Enter a description of this FortiGate unit’s role in your network. For example, you could list the resources accessed through this unit. This field is not available if Default is selected.
Monitor the following groups The Collector agent sends to the FortiGate unit the user logon information for the Windows AD user groups in this list. Edit this list using the Add, Advanced and Remove buttons.
Add In the preceding single-line field, enter the Windows AD domain name and user group name, and then select Add. If you don’t know the exact name, use the Advanced button instead.

The format of the entry depends on the AD access mode (see Configuring Directory Access settings on page 161):

Standard: Domain\Group

Advanced: cn=group, ou=corp, dc=domain

Advanced Select Advanced, select the user groups from the list, and then select Add.
Remove Remove the user groups selected in the monitor list.

Configuring FSSO ports

For FSSO to function properly a small number of TCP and UDP ports must be open through all firewalls on the network. There ports listed in this section assume the default FSSO ports are used.

TCP ports for FSSO agent with client computers

Windows AD records when users log on but not when they log off. For best performance, Fortinet Single Sign On Agent monitors when users log off. To do this, Fortinet Single Sign On Agent needs read-only access to each client computer’s registry over TCP port 139 or 445. Open at least one of these ports — ensure it is not blocked by firewalls.

If it is not feasible or acceptable to open TCP port 139 or 445, you can turn off Fortinet Single Sign On Agent logoff detection. To do this, set the Collector agent workstation verify interval to 0. The FSSO Collector Agent assumes that the logged on computer remains logged on for the duration of the Collector agent dead entry timeout interval — by default this is eight hours.

Configuring ports on the Collector agent computer

On the computer where you install the Collector agent, you must make sure that the firewall does not block the listening ports for the FortiGate unit and the DC Agent. By default, these are TCP port 8000 and UDP port 8002. For more information about setting these ports, see Configuring FSSO Advanced Settings on page 171.

Configuring alternate user IP address tracking

In environments where user IP addresses change frequently, you can configure Fortinet Single Sign On Agent to use an alternate method to track user IP address changes. Using this method, Fortinet Single Sign On Agent responds more quickly to user IP address changes because it directly queries workstation IP addresses to match users and IP addresses.

This feature requires FSAE version 3.5.27 or later, Fortinet Single Sign On Agent any version, and FortiOS 3.0 MR7 or later.

To configure alternate user IP address tracking:

  1. On the computer where the Collector agent is installed, go to Start > Run.
  2. Enter regedit or regedt32 and select OK. The Registry Editor opens.
  3. Find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent.
  4. Set the supportFSAEauth value (dword) to 00000001. If needed, create this new dword.
  5. Close the Registry Editor.
  6. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  7. Select Apply.

The Fortinet Single Sign On Agent service restarts with the updated registry settings.

Viewing FSSO component status

It is important to know the status of both your Collector agents and DC agents.

Viewing Collector agent status

Use the Show Service Status to view your Collector agent information in the Status window. The Status window displays:

  • the version of the software l the status of the service l the number of connected FortiGate units
  • connected FortiGate information such as serial number, IP address, and connect time

To view Collector agent status:

  1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Show Service Status.

The Fortinet Single Sign On Collector agent Status window opens.

  1. Optionally select Get NTLM statistics in the Status window to display NTLM information such as number of messages received, processed, failed, in the queue.

Viewing DC agent status

Use the Show Monitored DCs to view the status of DC agents.

To view domain controller agent status:

  1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
  2. In the Common Tasks section, select Show Monitored DCs. For each DC Agent, the following information is displayed:

l IP address l number of logon events received l the last logon event l when last logon was received

To change which DC agents are monitored or change the working mode for logon event monitoring, select Select DC to Monitor

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Agent-based FSSO

  1. Stewart Myles

    Thanks I find your site useful, I have followed these instructions and we have a issue where users are not detected by the Fortinet agent if they move from wireless to LAN and vice versa, also if user come out of sleep mode they won’t have any internet, any ideas were to look?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.