Configuring the FSSO collector agent for Windows AD
On the FortiGate unit, security policies control access to network resources based on user groups. With Fortinet Single Sign On, this is also true but each FortiGate user group is associated with one or more Windows AD user groups. This is how Windows AD user groups get authenticated in the FortiGate security policy.
Fortinet Single Sign On sends information about Windows user logons to FortiGate units. If there are many users on your Windows AD domains, the large amount of information might affect the performance of the FortiGate units.
To avoid this problem, you can configure the Fortinet Single Sign On Collector agent to send logon information only for groups named in the FortiGate unit’s security policies. See Configuring FortiGate group filters on page 168.
On each server with a Collector agent, you will be l Configuring Windows AD server user groups l Configuring collector agent settings, including the domain controllers to be monitored l Selecting Domain Controllers and working mode for monitoring l Configuring directory access settings l Configuring the ignore user list l Configuring FortiGate group filters for each FortiGate unit l Configuring FSSO ports l Configuring alternate user IP address tracking l Viewing FSSO component status
Configuring Windows AD server user groups
FortiGate units control network resource access at the group level. All members of a user group have the same network access as defined in FortiGate security policies.
You can use existing Windows AD user groups for authentication to FortiGate units if you intend that all members within each group have the same network access privileges.
Otherwise, you need to create new user groups for this purpose.
Refer to Microsoft documentation for information about creating and managing Windows AD user groups.
Configuring collector agent settings
You need to configure which domain controllers the Collector agent will use and which domains to monitor for user logons. You can also alter default settings and settings you made during installation. These tasks are accomplished by configuring the FSSO Collector Agent, and selecting either Apply to enable the changes.
At any time to refresh the FSSO Agent settings, select Apply.
To configure the collector agent:
- From the Start menu, select Programs > Fortinet > Fortinet Single Sign-On Agent > Configure Fortinet Single Sign-On Agent.
- Enter the following information.
Monitoring user logon events | By default, this is enabled to automatically authenticate users as they log on to the Windows domain. Disable the Monitor feature only if you have a large network where this feature will slow responses too much. |
Support NTLM authentication | By default, this is enabled to facilitate logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. |
Collector Agent Status | Shows RUNNING when Collector agent is active. |
Listening ports | You can change FSSO Collector Agent related port numbers if necessary. |
FortiGate | TCP port for FortiGate units. Default 8000. |
DC Agent | UDP port for DC Agents. Default 8002. |
Logging | |
Log level | Select the minimum severity level of logged messages. |
Log file size limit (MB) | Enter the maximum size for the log file in MB. Default is 10. |
View Log | View all Fortinet Single Sign On agent logs. |
Log logon events in separate logs | Record user login-related information separately from other logs. The information in this log includes:
l data received from DC agents l user logon/logoff information l workstation IP change information l data sent to FortiGate units |
View Logon Events | If Log logon events in separate logs is enabled, you can view user login-related information. |
Authentication | |
Require authenticated connection from FortiGate | Select to require the FortiGate unit to authenticate before connecting to the Collector agent. |
Password | Enter the password that FortiGate units must use to authenticate. The maximum password length is 15 characters. The default password is “fortinetcanada”. It is highly recommended to modify this password. |
Timers | |
Workstation verify interval (minutes) | Enter the interval in minutes at which the Fortinet Single Sign On Collector agent connects to client computers to determine whether the user is still logged on. The default is every 5 minutes. The interval may be increased if your network has too much traffic.
Note: This verification process creates security log entries on the client computer. If ports 139 or 445 cannot be opened on your network, set the interval to 0 to prevent checking. See Configuring FSSO ports on page 170. |
Dead entry timeout
interval |
Enter the interval in minutes after which Fortinet Single Sign On Agent purges information for user logons that it cannot verify. The default is 480 minutes (8 hours).
Dead entries usually occur because the computer is unreachable (such as in standby mode or disconnected) but the user has not logged off. A common reason for this is when users forget to logoff before leaving the office for the day. You can also prevent dead entry checking by setting the interval to 0. |
IP address change
verify interval |
Fortinet Single Sign On Agent periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change. IP address verification prevents users from being locked out if they change IP addresses, as may happen with DHCP assigned addresses.
Enter the verification interval in seconds. The default is 60 seconds. You can enter 0 to prevent IP address checking if you use static IP addresses. This does not apply to users authenticated through NTLM. |
Cache user group lookup
result |
Enable caching.
Caching can reduce group lookups and increase performance. |
Cache expire in (minutes) | Fortinet Single Sign On Agent caches group information for logged-in users.
Enter the duration in minutes after which the cache entry expires. If you enter 0, the cache never expires. A long cache expire interval may result in more stale user group information. This can be an issue when a user’s group information is changed. |
Clear Group Cache | Clear group information of logged-in users.
This affects all logged-in users, and may force them to re-logon. |
- You can select Save & close now or leave the agent configuration window open to complete additional configuration in the following sections.
To view the version and build number information for your FSSO Collector Agent configuration, selecting the Fortinet icon in the upper left corner of the Collector agent Configuration screen and select About Fortinet Single Sign On Agent configuration.
Selecting Domain Controllers and working mode for monitoring
You can change which DC agents are monitored or change the working mode for logon event monitoring between DC agent mode and polling mode.
When polling mode is selected, it will poll port 445 of the domain controller every few seconds to see who is logged on.
- From the Start menu select Programs > Fortinet Fortinet Single Sign-On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Show Monitored DCs.
- Select Select DC to Monitor.
- Choose the Working Mode:
- DC Agent mode — a Domain Controller agent monitors user logon events and passes the information to the Collector agent. This provides reliable user logon information, however you must install a DC agent on every domain controller in the domain.
- Polling mode — the Collector agent polls each domain controller for user logon information. Under heavy system load this might provide information less reliably. However installing a DC agent on each domain controller is not required in this mode.
- You also need to choose the method used to retrieve logon information: l Poll logon sessions using Windows NetAPI l Check Windows Security Event Logs l Check Windows Security Event Logs using WMI
For more information about these options, see Polling mode on page 151.
- Select OK.
- Select Close.
- Select Save & Close.
Configuring directory access settings
The FSSO Collector Agent can access Windows Active Directory in one of two modes:
- Standard — the FSSO Collector Agent receives group information from the Collector agent in the domain\user This option is available on FortiOS 3.0 and later.
- Advanced — the FSSO Collector Agent obtains user group information using LDAP. The benefit of this method is that it is possible to nest groups within groups. This is option is available on FortiOS 3.0 MR6 and later. The group information is in standard LDAP format.
To configure Directory Access settings:
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Set Directory Access Information. The Set Directory Access Information dialog box opens.
- From the AD access mode list, select either Standard or Advanced.
- If you selected Advanced AD access mode, select Advanced Setting and configure the following settings and then select OK:
AD server address | Enter the address of your network’s global catalog server. |
AD server port | The default AD server port is 3268. This must match your server port. |
BaseDN | Enter the Base distinguished name for the global catalog. This is the point in the tree that will be considered the starting point by default-See following example. |
Username | If the global catalog accepts your Fortinet Single Sign On Agent agent’s credentials, you can leave these fields blank. Otherwise, enter credentials for an account that can access the global catalog. |
Password |
BaseDN example
An example DN for Training Fortinet Canada is ou=training, ou=canada, dc=fortinet, dc=com. If you set the BaseDN to ou=canada, dc=fortinet, dc=com then when Fortinet Single Sign On Agent is
looking up user credentials, it will only search the Canada organizational unit, instead of all the possible countries in the company. Its a short cut to entering less information and faster searches.
However, you may have problems if you narrow the BaseDN too much when you have international employees from the company visiting different offices. If someone from Fortinet Japan is visiting the Canada office in the example above, their account credentials will not be matched because they are in ou=japan,
dc=fortinet, dc=com instead of the BaseDN ou=canada, dc=fortinet, dc=com. The easy solution is to change the BaseDN to simply be dc=fortinet, dc=com. Then any search will check all the users in the company.
Configuring the ignore user list
The ignore user list excludes users that do not authenticate to any FortiGate unit, such as system accounts. The logons of these users are not reported to FortiGate units. This reduces the amount of required resources on the FortiGate unit especially when logging logon events to memory.
To configure the ignore user list:
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Set ignore user list. The current list of ignored users is displayed:
- Do any of the following:
- To remove a user from the list, select the the username and then select Remove. The user’s login is no longer ignored.
- To add users to be ignored, l enter the username in the format domain\username and select Add or l select Add Users, an Add Ignore Users window is displayed, checkmark the users you do not want to monitor, then select Add or
- select Add by OU, an Add Ignore Users by OU window is displayed, select an OU from the directory tree, then select Add. All users under the selected OU will be added to the ignore user list.
- Select OK.
Configuring FortiGate group filters
FortiGate group filters actively control which user logon information is sent to each FortiGate unit. You need to configure the group filter list so that each FortiGate unit receives the correct user logon information for the user groups that are named in its security policies. These group filters help limit the traffic sent to the FortiGate unit, and help limit the logon events logged.
The maximum number of Windows AD user groups allowed on a FortiGate depends on the model. Low end models support 256 Windows AD user groups, where mid and high end models support 1024 groups. This is per VDOM if VDOMs are enabled on the FortiGate unit.
You do not need to configure a group filter on the Collector agent if the FortiGate unit retrieves group information from Windows AD using LDAP. In that case, the Collector agent uses the list of groups you selected on the FortiGate unit as its group filter.
The filter list is initially empty. You need to configure filters for your FortiGate units using the Add function. At a minimum, create a default filter that applies to all FortiGate units without a defined filter.
If no filter is defined for a FortiGate unit and there is no default filter, the Collector agent sends all Windows AD group and user logon events to the FortiGate unit. While this normally is not a problem, limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list and resulting logs.
To configure a FortiGate group filter:
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Set Group Filters.
The FortiGate Filter List opens. It has the following columns:
FortiGate SN | The serial number of the FortiGate unit to which this filter applies. |
Description | An optional description of the role of this FortiGate unit. |
Monitored Groups | The Windows AD user groups that are relevant to the security policies on this FortiGate unit. |
Add | Create a new filter. |
Edit | Modify the filter selected in the list. |
Remove | Remove the filter selected in the list. |
OK | Save the filter list and exit. |
Cancel | Cancel changes and exit. |
- Select Add to create a new filter. If you want to modify an existing filter, select it in the list and then select Edit.
- Enter the following information and then select OK.
Default filter | Select to create the default filter. The default filter applies to any FortiGate unit that does not have a specific filter defined in the list. | |
FortiGate Serial Number | Enter the serial number of the FortiGate unit to which this filter applies. This field is not available if Default is selected. | |
Description | Enter a description of this FortiGate unit’s role in your network. For example, you could list the resources accessed through this unit. This field is not available if Default is selected. | |
Monitor the following groups | The Collector agent sends to the FortiGate unit the user logon information for the Windows AD user groups in this list. Edit this list using the Add, Advanced and Remove buttons. | |
Add | In the preceding single-line field, enter the Windows AD domain name and user group name, and then select Add. If you don’t know the exact name, use the Advanced button instead.
The format of the entry depends on the AD access mode (see Configuring directory access settings on page 166): Standard: Domain\Group Advanced: cn=group, ou=corp, dc=domain |
|
Advanced | Select Advanced, select the user groups from the list, and then select Add. | |
Remove | Remove the user groups selected in the monitor list. | |
Configuring FSSO ports
For FSSO to function properly a small number of TCP and UDP ports must be open through all firewalls on the network. There ports listed in this section assume the default FSSO ports are used.
TCP ports for FSSO agent with client computers
Windows AD records when users log on but not when they log off. For best performance, Fortinet Single Sign On Agent monitors when users log off. To do this, Fortinet Single Sign On Agent needs read-only access to each client computer’s registry over TCP port 139 or 445. Open at least one of these ports — ensure it is not blocked by firewalls.
If it is not feasible or acceptable to open TCP port 139 or 445, you can turn off Fortinet Single Sign On Agent logoff detection. To do this, set the Collector agent workstation verify interval to 0. The FSSO Collector Agent assumes that the logged on computer remains logged on for the duration of the Collector agent dead entry timeout interval — by default this is eight hours.
Configuring ports on the collector agent computer
On the computer where you install the Collector agent, you must make sure that the firewall does not block the listening ports for the FortiGate unit and the DC Agent. By default, these are TCP port 8000 and UDP port 8002. For more information about setting these ports, see Configuring FSSO advanced settings on page 177.
Configuring alternate user IP address tracking
In environments where user IP addresses change frequently, you can configure Fortinet Single Sign On Agent to use an alternate method to track user IP address changes. Using this method, Fortinet Single Sign On Agent responds more quickly to user IP address changes because it directly queries workstation IP addresses to match users and IP addresses.
This feature requires FSAE version 3.5.27 or later, Fortinet Single Sign On Agent any version, and FortiOS 3.0 MR7 or later.
To configure alternate user IP address tracking:
- On the computer where the Collector agent is installed, go to Start > Run.
- Enter regedit or regedt32 and select OK. The Registry Editor opens.
- Find the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent.
- Set the supportFSAEauth value (dword) to 00000001. If needed, create this new dword.
- Close the Registry Editor.
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- Select Apply.
The Fortinet Single Sign On Agent service restarts with the updated registry settings.
Viewing FSSO component status
It is important to know the status of both your Collector agents and DC agents.
Viewing collector agent status
Use the Show Service Status to view your Collector agent information in the Status window. The Status window displays:
- the version of the software l the status of the service l the number of connected FortiGate units
- connected FortiGate information such as serial number, IP address, and connect time
To view Collector agent status:
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Show Service Status.
The Fortinet Single Sign On Collector agent Status window opens.
- Optionally select Get NTLM statistics in the Status window to display NTLM information such as number of messages received, processed, failed, in the queue.
Viewing DC agent status
Use the Show Monitored DCs to view the status of DC agents.
To view domain controller agent status:
- From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
- In the Common Tasks section, select Show Monitored DCs. For each DC Agent, the following information is displayed:
l IP address l number of logon events received l the last logon event l when last logon was received
To change which DC agents are monitored or change the working mode for logon event monitoring, select Select DC to Monitor
Configuring the FSSO TS agent for Citrix
Configuring the FSSO TS agent for Citrix
The FSSO TS agent works with the same FSSO Collector agent that is used for integration with Windows Active Directory. Install the Collector agent first. Follow the Collector agent installation procedure in Collector agent installation on page 157.
Configuration steps include:
- Install the Fortinet Citrix FSSO agent on the Citrix server. l Install the Fortinet FSSO collector on a server on the network.
- Add the Citrix FSSO agent to the FortiGate single-sign-On configuration. l Add Citrix FSSO groups and users to an FSSO user group. l Add an FSSO identity-based security policy that includes the Citrix FSSO user groups.
To change the TS agent configuration, select from the Start menu Programs > Fortinet > Fortinet Single Sign-On Agent > TSAgent Config. In addition to the host and Collector agent IP addresses that you set during installation, you can adjust port allocations for Citrix users. When a Citrix user logs on, the TS agent assigns that user a range of ports. By default each user has a range of 200 ports.
Fortinet SSO Collector Agent IP and Port needs to point to the current configured listening port on the collector which is port 8002 by default. Though it may be configured to a custom port.
with Novell networks
Configuring the TS agent
Configuring FSSO with Novell networks
You need to configure the eDirectory agent for it to communicate with eDirectory servers. You may have provided some of this information during installation.
This section includes:
l Configuring the eDirectory agent l Adding an eDirectory server l Configuring a group filter
Configuring the eDirectory agent
You need to configure the eDirectory agent for it to communicate with eDirectory servers.
Configuring FSSO with Novell networks
To configure the eDirectory agent:
- From the Start menu select Programs > Fortinet > eDirectory Agent > eDirectory Config Utility.
- The eDirectory Agent Configuration Utility dialog opens. Enter the following information and select OK.
eDirectory Authentication | |
Username | Enter a username that has access to the eDirectory, using LDAP format. |
Password | Enter the password. |
Listening port | Enter the TCP port on which Fortinet Single Sign On Agent listens for connections from FortiGate units. The default is 8000. You can change the port if necessary. |
Refresh interval | Enter the interval in seconds between polls of the eDirectory server to check for new logons. The default is 30 seconds. |
FortiGate Connection Authentication | |
Require authenticated Select to require the FortiGate unit to authenticate before connecting to connection from FortiGate the eDirectory Agent. | |
Password Enter the password that FortiGate units must use to authenticate. The maximum password length is 15 characters. The default password is “FortinetCanada”. | |
User logon Info Search Select how the eDirectory agent accesses user logon information: LDAP or
Method Native (Novell API). LDAP is the default. If you select Native, you must also have the Novell Client installed on the PC. |
|
Logging | |
Log file size limit (MB) | Enter the maximum size for the log file in MB. |
View Log | View the current log file. |
Dump Session | List the currently logged-on users in the log file. This can be useful for troubleshooting. |
Log level | Select Debug, Info, Warning or Error as the minimum severity level of message to log or select None to disable logging. |
eDirectory Server List | |
Add | Add an eDirectory server. See Adding an eDirectory server on page 176. |
Delete | Delete the selected eDirectory server. |
with Novell networks
eDirectory Server List | |
Edit | Modify the settings for the selected server. |
Set Group Filters… | Select the user groups whose user logons will be reported to the FortiGate unit. This is used only if user groups are not selected on the FortiGate unit. |
Adding an eDirectory server
Once the eDirectory agent is configured, you add one or more eDirectory servers.
To add an eDirectory server:
- In the eDirectory Agent Configuration Utility dialog box (see the preceding procedure, Configuring the eDirectory agent), select Add.
- The eDirectory Setup dialog box opens. Enter the following information and select OK:
eDirectory Server Address | Enter the IP address of the eDirectory server. |
Port | If the eDirectory server does not use the default port 389, clear the Default check box and enter the port number. |
Use default credential | Select to use the credentials specified in the eDirectory Configuration Utility. See Configuring the eDirectory agent on page 174. Otherwise, leave the check box clear and enter a username and Password below. |
User name | Enter a username that has access to the eDirectory, using LDAP format. |
User password | Enter the password. |
Use secure connection (SSL) | Select to connect to the eDirectory server using SSL security. |
Search Base DN | Enter the base Distinguished Name for the user search. |
Configuring a group filter
The eDirectory agent sends user logon information to the FortiGate unit for all user groups unless you either configure an LDAP server entry for the eDirectory on the FortiGate unit and select the groups that you want to monitor or configure the group filter on the eDirectory agent.
If both the FortiGate LDAP configuration and the eDirectory agent group filter are present, the FortiGate user group selections are used.
To configure the group filter:
- From the Start menu select Programs > Fortinet > eDirectory Agent > eDirectory Config Utility.
- Select Set Group Filters.
- Do one of the following:
l Enter group names, then select Add. l Select Advanced, select groups, and then select Add.
advanced settings
- Select OK.
Hi,
Thank you for your post, very useful!
Is it possible to put multiple AD server addresses in Directory access settings for redundancy purpose?
Thank You!