Agent-based FSSO

Configuring FSSO Advanced Settings

Depending on your network topologies and requirement, you may need to configure advanced settings in the

FSSO Colloctor agent.To do so, from the Start menu, select Programs > Fortinet > Fortinet Single Sign-On Agent > Configure Fortinet Single Sign-On Agent, then from the Common Tasks section, select Advanced Settings.

This section include :

  • General Settings
  • Citrix/Terminal Server
  • Exchange Server
  • RADIUS Accounting

General Settings

In the General tab, enter the following information and select OK.

Worker thread count Number of threads started in the CA process. Default is128 on CA version 5.0.0241.
Maximum FortiGate connections Number of FortiGates can be connected to the CA. Default is 64.
Group look-up interval The interval in seconds to lookup users/groups. If an AD group membership of currently logged on user, CA can detect this and update information on the FortiGate. Enter 0 for no checking.
Windows security Event logs Choose the event logs to poll.
Event IDs to poll 0:Default set, it includes Kerberos authentication event logs : 672 for

Windows server 2003, 4768 for Windows server 2008 and 2012 and NTLM authentication event logs : 680 for Windows server 2003, 4776 for Windows server 2008 and 2012. 1: Extended set, it includes Kerberos service ticket event logs : 673 for Windows server 2003, 4769 for Windows server 2008 and 2012. Service tickets are obtained whenever a user or computer accesses a server on the network.

List the event ids separated by “;”.

 Workstation Check Optionally enable Use WMI to check user logoff for the collector agent to query whether users is still logged on.
Workstation Name Resolution Advance Options

 

Support Citrix/Terminal Server Virtual IP Environment When Citrix server are configured with VIP, CA can get user logon events from theses server. Citrix changed their interface and data format so version of Citrix server is important.
Citrix server before version 6.0 Enable this option if you Citrix server version is before 6.0.
Server list Enter the list of servers separated by colon.
Citrix server version

6.0 or later, or Terminal

Server

Enable this option if you Citrix server version is 6.0 or later.
Server list Enter the list of servers separated by colon.

Advanced Settings

Alternative DNS server(s) Collector Agent uses the DNS server configured on the machine it is running on by default. If CA should use another DNS server then one or more alternative DNS server can be configured here.
Alternative workstation suffix(es) If only host name is available CA uses the default domain suffix to build a FQDN for DNS queries. In case CA should use a different suffix, it can be configured as well.

Citrix/Terminal Server

In the Citrix/Terminal Server tab, enter the following information and select OK.

Advanced Settings

Exchange Server

FSSO supports monitoring Microsoft Exchange Server. This is useful for situation that the user use the domain account to access their email, but client device might or might not be in the domain. Support for Exchange server is configured on the Back-end FSSO collector agent under Advanced Settings > Exchange Server.

Select Add and enter the following information and select OK.

Domain Name Enter your domain name.
Server IP/Hostname Enter the IP address or the hostname of your exchange server.
Polling forwarded event log This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server. If you enable this, instead of the IP of the Exchange server configured in the previous step, you must then configure the IP of this member server. CA will then contact the member server.
Ignore Name Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ESEventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.

To do so, enter the domain name in the Ignore Name field and select Add.

Advanced Settings

RADIUS Accounting

A RADIUS server must be configured in your network to send accounting messages to the Collector Agent which can be configured to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

l Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the Collector Agent. User group names do not need to be added for all users, only to the accounts of users who will use RADIUS Accounting feature on the Collector Agent. l Configure your accounting system to send RADIUS Start records to the Collector Agent.

The Collocter Agent should be configured to listen for RADIUS accounting messages as following.

RADIUS Accounting Server
Enable RADIUS

Accounting Server

Enable this option to allow the CA to gather information about authenticated users via a RADIUS server and send these information to the FortiGate unit for monitoring.
Listen port The port on which CA listens for RADIUS accounting messages. Default RADIUS accounting is 1813, but if RADIUS server sends accounting messages on different port, value can be configured here.
Shared secret Common secret between CA and RADIUS server.

 

Default domain name This should be the AD domain for which this CA is configured. In this case user name in RADIUS accounting message can be in simple format like user1.

If this value is empty, then user name in RADIUS accounting message must be in one of these formats user1@domain, Domain\user1 or domain/user1.

CA will use user name and domain to query group membership of user. Client IP address (Framed IP) should also be in RADIUS accounting message, so that CA can forward user name, IP address and groups to the FortiGate.

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Agent-based FSSO

  1. Stewart Myles

    Thanks I find your site useful, I have followed these instructions and we have a issue where users are not detected by the Fortinet agent if they move from wireless to LAN and vice versa, also if user come out of sleep mode they won’t have any internet, any ideas were to look?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.