Tag Archives: fsso advanced mode

FSSO for Citrix

FSSO for Citrix

Citrix users can enjoy a similar Single Sign-On experience as Windows AD users. The FSSO TS agent installed on each Citrix server provides user logon information to the FSSO Collector agent on the network. The FortiGate unit uses this information to authenticate the user in security policies.

 

 

Citrix Servers with single IP or IP-Pool (No static client relation)

User starts native Client Application on Citrix Server. As example SAP Client, RDP, SSH etc.

FortiGate authenticates  the user seamless against Active Directory User Group

FortiGate allows Client connection if user group is allowed by the related Identity Based

Security Policy

 

 

Citrix users do not have unique IP addresses. When a Citrix user logs on, the TS agent assigns that user a range of ports. By default each user has a range of 200 ports.

FSSO for Windows AD

FSSO for Windows AD

FSSO for Windows AD requires at least one Collector agent. Domain Controller agents may also be required depending on the Collector agent working mode. There are two working modes to monitor user logon activity: DC Agent mode or Polling mode.

 

Collector agent DC Agent mode versus Polling mode

DC Agent mode                                       Polling Mode

Installation               Complex — Multiple installations: one agent per DC plus Collector agent, requires a reboot

Easy — Only Collector agent installation, no reboot required

Resources                Shares resources with DC system                 Has own resources

Network load            Each DC agent requires minimum 64kpbs bandwidth, adding to network load

Increase polling period during busy period to reduce network load

Level of Con- fidence

Captures all logons                                       Potential to miss a login if polling period is too great

 

DC Agent mode

DC Agent mode is the standard mode for FSSO. In DC Agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and pass the information to the Collector agent, which stores the information and sends it to the FortiGate unit.

The DC agent installed on the domain controllers is not a service like the Collector agent — it is a DLL file called dcagent.dll and is installed in the Windows\system32 directory. It must be installed on all domain controllers of the domains that are being monitored.

 

FSSO in DC agent mode

DC Agent mode provides reliable user logon information, however you must install a DC agent on every domain controller. A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use the DC Agent mode.

Each domain controller connection needs a minimum guaranteed 64kpbs bandwidth to ensure proper FSSO functionality. You can optionally configure traffic shapers on the FortiGate unit to ensure this minimum bandwidth is guaranteed for the domain controller connections.

Polling mode

In Polling mode there are three options — NetAPI polling, Event log polling, and Event log using WMI. All share the advantages of being transparent and agentless.

NetAPI polling is used to retrieve server logon sessions. This includes the logon event information for the Controller agent. NetAPI runs faster than Event log polling but it may miss some user logon events under heavy system load. It requires a query round trip time of less than 10 seconds.

Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication. It does not have the 10 second limit on NetAPI polling. Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging into Windows AD.

Event log using WMI polling: WMI is a Windows API to get system information from a Windows server, CA is a WMI client and sends WMI queries for user logon events to DC, which in this case is a WMI server. Main advantage in this mode is that CA does not need to search security event logs on DC for user logon events, instead, DC returns all requested logon events via WMI. This also reduces network load between CA and DC.

In Polling mode, the Collector agent polls port 445 of each domain controller for user logon information every few seconds and forwards it to the FortiGate unit. There are no DC Agents installed, so the Collector agent polls the domain controllers directly.

 

FSSO in Polling mode

A major benefit of Polling mode is that no FSSO DC Agents are required. If it is not possible to install FSSO DC Agents on your domain controllers, this is the alternate configuration available to you. Polling mode results in a less complex install, and reduces ongoing maintenance. The minimum permissions required in Polling mode are to read the event log or call NetAPI.

 

Collector agent AD Access mode – Standard versus Advanced

The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to username information.

Standard mode uses regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

If there is no special requirement to use LDAP— best practices suggest you set up FSSO in Standard mode. This mode is easier to set up, and is usually easier to maintain and troubleshoot.

Standard and advanced modes have the same level of functionality with the following exceptions:

  • Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiGate unit. Fortinet strongly encourages users to create filters from CA.
  • Advanced mode supports nested or inherited groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.

Agent-based FSSO

Agent-based FSSO

FortiOS can provide single sign-on capabilities to Windows AD, Citrix, or Novell eDirectory users with the help of agent software installed on these networks. The agent software sends information about user logons to the FortiGate unit. With user information such as IP address and user group memberships from the network, FortiGate security policies can allow authenticated network access to users who belong to the appropriate user groups without requesting their credentials again.

For Windows AD networks, FortiGate units can provide SSO capability without agent software by directly polling the Windows AD domain controllers. For information about this type of SSO, seeSingle Sign-On to Windows AD on page 545.

The following topics are included:

  • Introduction to agent-based FSSO
  • FSSO NTLM authentication support
  • Agent installation
  • Configuring the FSSO Collector agent for Windows AD
  • Configuring the FSSO TS agent for Citrix
  • Configuring FSSO with Novell networks
  • Configuring FSSO Advanced Settings
  • Configuring FSSO on FortiGate units
  • FortiOS FSSO log messages
  • Testing FSSO
  • Troubleshooting FSSO

 

Introduction to agent-based FSSO

 

Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. When a user logs on at a workstation in a monitored domain, FSSO

  • detects the logon event and records the workstation name, domain, and user,
  • resolves the workstation name to an IP address,
  • determines which user groups the user belongs to,
  • sends the user logon information, including IP address and groups list, to the FortiGate unit
  • creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

FSSO can also provide NTLM authentication service for requests coming from FortiGate. SSO is very convenient for users, but may not be supported across all plat- forms. NTLM is not as convenient, but it enjoys wider support. See FSSO NTLM authentication support on page 559.

Introduction to FSSO agents

There are several different FSSO agents that can be used in an FSSO implementation:

  • Domain Controller (DC) agent
  • eDirectory agent
  • Citrix/Terminal Server (TS) agent
  • Collector (CA) agent

Consult the latest FortiOS and FSSO Release Notes for operating system compatibility information.

 

Domain Controller (DC) agent

The Domain Controller (DC) agent must be installed on every domain controller if you will use DC Agent mode, but is not required if you use Polling mode. See FSSO for Windows AD on page 555.

 

eDirectory agent

The eDirectory agent is installed on a Novell network to monitor user logons and send the required information to the FortiGate unit. It functions much like the Collector agent on a Windows AD domain controller.The agent can obtain information from the Novell eDirectory using either the Novell API or LDAP.

 

Citrix/Terminal Server (TS) agent

The Citrix/Terminal Server (TS) agent is installed on a Citrix terminal server to monitor user logons in real time. It functions much like the DC Agent on a Windows AD domain controller.

 

Collector (CA) agent

This agent is installed as a service on a server in the Windows AD network to monitor user logons and send the required information to the FortiGate unit. The Collector agent can collect information from

  • Domain Controller agent (Windows AD)
  • TS agent (Citrix Terminal Server)

In a Windows AD network, the Collector agent can optionally obtain logon information by polling the AD domain controllers. In this case, DC agents are not needed.

The Collector can obtain user group information from the DC agent or optionally, a FortiGate unit can obtain group information directly from AD using Lightweight Directory Access Protocol (LDAP).

On a Windows AD network, the FSSO software can also serve NT LAN Manager (NTLM) requests coming from client browsers (forwarded by the FortiGate unit) with only one or more Collector agents installed. See FSSO NTLM authentication support on page 559.

The CA is responsible for DNS lookups, group verification, workstation checks, and as mentioned FortiGate updates of logon records. The FSSO Collector Agent sends Domain Local Security Group and Global Security Group information to FortiGate units. The CA communicates with the FortiGate over TCP port 8000 and it listens on UDP port 8002 for updates from the DC agents.

The FortiGate unit can have up to five CAs configured for redundancy. If the first on the list is unreachable, the next is attempted, and so on down the list until one is contacted. See Configuring FSSO on FortiGate units on page 586.

All DC agents must point to the correct Collector agent port number and IP address on domains with multiple DCs.

A FortiAuthenticator unit can act much like a Collector agent, collecting Windows AD user logon information and sending it to the FortiGate unit. It is particularly useful in large installations with several FortiGate units. For more information, see the FortiAuthenticator Administration Guide.

 

FSSO NTLM authentication support

FSSO NTLM authentication support

In a Windows AD network, FSSO can also provide NTLM authentication service to the FortiGate unit. When the user makes a request that requires authentication, the FortiGate unit initiates NTLM negotiation with the client browser. The FortiGate unit does not process the NTLM packets itself. Instead, it forwards all the NTLM packets to the FSSO service to process.

NTLM has the benefit of not requiring an FSSO agent, but it is not transparent to users, and the user’s web browser must support NTLM.

The NTLM protocol protects the user’s password by not sending it over the network. Instead, the server sends the client a random number that the client must encrypt with the hash value of the user’s password. The server compares the result of the client’s encryption with the result of its own encryption. The two will match only if both parties used the same password.

 

NTLM authentication

If the NTLM authentication with the Windows AD network is successful, and the user belongs to one of the groups permitted in the applicable security policy, the FortiGate unit allows the connection but will require authentication again in the future when the current authentication expires.

Fortinet has tested NTLM authentication with Internet Explorer and Firefox browsers.

 

NTLM in a multiple domain environment

In a multiple domain environment for NTLM, the important factor is that there is a trust relation between the domains. In a forest, this relation is automatically created. So you can install FSSO agent on one of the domain controllers without worry.

But in case of multiple domains that are not in a forest, you need to create a trust relation between the domains. If you do not want to have a trust relation between your multiple domains, you need to use FSAE 4.0 MR1 and the DC agent needs to be installed once on each domain. Then you can use security policies to configure server access.

In the figure below, three domains are shown connected to the FSSO Collector agent server. The Client logs on to their local Domain Controller, which then sends the user logon event information to the Collector Agent. When the Client attempts to access the Internet, the FortiGate unit contacts the Collector Agent for the logon information, sees the Client is authenticated, and allows access to the Internet. There are multiple domains each with a domain controller agent (DCagent) that sends logon information to the Collector agent. If the multiple domains have a trust relationship, only one DCagent is required instead of one per domain.

 

FSSO NTLM with multiple domains not in a forest

 

Understanding the NTLM authentication process

1. The user attempts to connect to an external (internet) HTTP resource. The client application (browser) on the user’s computer issues an unauthenticated request through the FortiGate unit.

2. The FortiGate is aware that this client has not authenticated previously, so responds with a 401

Unauthenticated status code, and tells the client which authentication method to reply with in the header:

Proxy-Authenticated: NTLM. Then the initial session is dismantled.

3. The client application connects again to the FortiGate, and issues a GET-request, with a

Proxy-Authorization: NTLM <negotiate string> header. <negotiate-string> is a base64- encoded NTLM Type 1 negotiation packet.

4. The FortiGate unit replies with a 401 “proxy auth required” status code, and a

Proxy-Authenticate: NTLM <challenge string> (a base 64-encoded NTLM Type 2 challenge packet). In this packet is the challenge nonce, a random number chosen for this negotiation that is used once and prevents replay attacks.

The TCP connection must be kept alive, as all subsequent authentication-related information is tied to the TCP connection. If it is dropped, the authentication process must start again from the beginning.

5. The client sends a new GET-request with a header: Proxy-Authenticate: NTLM <authenticate string>, where <authenticate string> is a NTLM Type 3 Authentication packet that contains:

  • username and domain
  • the challenge nonce encoded with the client password (it may contain the challenge nonce twice using different algorithms).

6. If the negotiation is successful and the user belongs to one of the groups permitted in the security policy, the connection is allowed, Otherwise, the FortiGate unit denies the authentication by issuing a 401 return code and prompts for a username and password. Unless the TCP connection is broken, no further credentials are sent from the client to the proxy.

If the authentication policy reaches the authentication timeout period, a new NTLM handshake occurs.

Agent installation

After reading the appropriate sections of Introduction to agent-based FSSO on page 553 to determine which

FSSO agents you need, you can proceed to perform the necessary installations.

Ensure you have administrative rights on the servers where you are installing FSSO agents. It is best practice to install FSSO agents using the built-in local administrator account. Optionally, you can install FSSO without an admin account. See Installing FSSO without using an administrator account on page 563.

In Windows 2008 by default, you do not have administrative user rights if you are logged on as a user other than as the built-in administrator, even if you were added to the local Administrators group on the computer.

The FSSO installer first installs the Collector agent. You can then continue with installation of the DC agent, or you can install it later by going to Start > Programs > Fortinet > Fortinet Single Sign On Agent >

Install DC Agent. The installer will install a DC agent on the domain controllers of all of the trusted domains in your network.

Each domain controller connection needs a minimum guaranteed 64kpbs bandwidth to ensure proper FSSO functionality.Traffic shapers configured on the FortiGate can help guarantee these minimum bandwidths.

 

Collector agent installation

To install FSSO, you must obtain the FSSO_Setup file from the Fortinet Support web site. This is available as either an executable (.exe) or a Microsoft Installer (.msi) file. Then you follow these two installation procedures on the server that will run the Collector agent. This can be any server or domain controller that is part of your network. These procedures also installs the DC Agent on all of the domain controllers in your network.

 

To install the Collector agent:

1. Create an account with administrator privileges and a password that does not expire. See Microsoft Advanced

Server documentation for help with this task.

To use a non-admin read only account, see Installing FSSO without using an administrator account on page 563.

2. Log on to the account that you created in Step 1.

3. Double-click the exe file.

The Fortinet SSO Collector Agent Setup Wizard starts.

4. Select Next.

5. Read and accept the license agreement. Select Next.

6. Optionally, you can change the installation location. Select Next.

7. Optionally, change the User Name.

8. By default, the agent is installed using the currently running account. If you want FSSO to use another existing admin account, change the User Name using the format DomainName \ UserName. For example if the account is jsmith and the domain is example_corp you would enter example_corp\jsmith.

9. In the Password field, enter the password for the account listed in the User Name field.

10. Select Next.

11. Enable as needed:

  • Monitor user logon events and send the information to the FortiGate unit
  • Serve NTLM authentication requests coming from FortiGate

By default, both methods are enabled. You can change these options after installation.

12. Select the access method to use for Windows Directory:

13. Select Standard to use Windows domain and username credentials.

14. Select Advanced if you will set up LDAP access to Windows Directory.

See Collector agent AD Access mode – Standard versus Advanced on page 557.

15. Select Next and then select Install.

If you want to use DC Agent mode, ensure that Launch DC Agent Install Wizard is selected. This will start DC

agent installation immediately after you select Finish.

16. Select Finish.

If you see an error such as Service Fortinet Single Sign On agent (service_FSAE) failed to start, there are two possible reasons for this. Verify the user account you selected has sufficient privileges to run the FSSO service. Also verify the computer sys- tem you are attempting to install on is a supported operating system and version.

 

DC agent installation

The FSSO_Setup file contains both the Collector agent and DC Agent installers, but the DC Agent installer is also available separately as either a .exe or .msi file named DCAgent_Setup.

 

To install the DC Agent

1. If you have just installed the Collector agent, the FSSO – Install DC Agent wizard starts automatically. Otherwise, go to Start > Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent.

2. Select Next.

3. Read and accept the license agreement. Select Next.

4. Optionally, you can change the installation location. Select Next.

5. Enter the Collector agent IP address.

6. If the Collector agent computer has multiple network interfaces, ensure that the one that is listed is on your network. The listed Collector agent listening port is the default. Only change this if the port is already used by another service.

7. Select Next.

8. Select the domains to monitor and select Next.

9. If any of your required domains are not listed, cancel the wizard and set up the proper trusted relationship with the domain controller. Then run the wizard again by going to Start > Programs > Fortinet >

Fortinet Single Sign On Agent > Install DC Agent.

10. Optionally, select users that you do not want monitored. These users will not be able to authenticate to FortiGate units using FSSO. You can also do this later. See Configuring the FSSO Collector agent for Windows AD on page 567.

11. Select Next.

12. Optionally, clear the check boxes of domain controllers on which you do not want to install the DC Agent.

13. Select the Working Mode as DC Agent Mode. While you can select Polling Mode here, in that situation you would not be installing a DC Agent. For more information, see DC Agent mode on page 555 and Polling mode on page 556.

14. Select Next.

15. Select Yes when the wizard requests that you reboot the computer.

 

If you reinstall the FSSO software on this computer, your FSSO configuration is replaced with default settings.

If you want to create a redundant configuration, repeat the Collector agent installation procedure on at least one other Windows AD server.

When you start to install a second Collector agent, cancel the Install Wizard dialog appears the second time. From the configuration GUI, the monitored domain con- troller list will show your domain controllers un-selected. Select the ones you wish to monitor with this Collector agent, and select Apply.

Before you can use FSSO, you need to configure it on both Windows AD and on the FortiGate units. Configuring FSSO on FortiGate units on page 586 will help you accomplish these two tasks.

 

Installing FSSO without using an administrator account

Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD.

The following instructions for Windows 2003 are specific to the event log polling mode only. Do not use this procedure with other FSSO configurations.

 

Windows 2003

There are two methods in Windows 2003 AD for installing FSSO without an admin account — add the non-admin user to the security log list, and use a non-admin account with read-only permissions. A problem with the first method is that full rights (read, write, and clear) are provided to the event log. This can be a problem when audits require limited or no write access to logs. In those situations, the non-admin account with read-only permissions is the solution.

 

To add the non-admin user account to the Windows 2003 security log list :

1. Go to Default Domain Controller Security Settings > Security Settings > User Rights Assignment > Manage auditing and security log.

2. Add the user account to this list.

3. Repeat these steps on every domain controller in Windows 2003 AD.

A reboot is required.

To use a non-admin account with read-only permissions to install FSSO on Windows 2003:

The following procedure provides the user account specified with read only access to the Windows 2003 AD Domain Controller Security Event Log which allows FSSO to function.

1. Find out the SID of the account you intend to use.

Tools for this can be downloaded for free from http://technet.microsoft.com/en-us/sysinternals/bb897417.

2. Then create the permission string. For example:

  • (A;;0x1;;;S-1-5-21-4136056096-764329382-1249792191-1107)
  • A means Allow,
  • 0x1 means Read, and
  • S-1-5-21-4136056096-764329382-1249792191-1107 is the SID.

3. Then, append it to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD

4. Repeat these steps on every domain controller in Windows 2003 AD.

A reboot is required.

 

Windows 2008

In Windows 2008 AD, if you do not want to use the Domain Admin account then the user account that starts the FSSO agent needs to be added to the Event Log Readers group.

When the user is added to the Event Log Readers group, that user is now allowed to have read only access to the event log and this is the minimal rights required for FSSO to work.

 

Citrix TS agent installation

To install the Citrix TS agent, you must obtain the TSAgent_Setup file from the Fortinet Support web site. Perform the following installation procedure on the Citrix server.

 

To install the FSSO TS agent:

1. On the Citrix server, create an account with administrator privileges and a password that does not expire. See

Citrix documentation for more information.

2. Log on to the account that you created in step 1.

3. Double-click the TSAgent_Setup installation file.

The Fortinet SSO Terminal Server Agent Setup Wizard starts.

4. Select Next.

5. Read and accept the license agreement. Select Next.

6. Optionally, you can change the installation location. Select Next.

7. Verify that This Host IP Address is correct.

8. In the FSSO Collector Agent List, enter the IP address(es) of your Collector Agents.

9. Select Next and then select Install.

The TS agent is installed.

10. Select Finish.

 

Novell eDirectory agent installation

To install the eDirectory agent, you must obtain the FSSO_Setup_eDirectory file from the Fortinet Support web site. Perform the following installation procedure on the computer that will run the eDirectory agent. This can be any server or domain controller that is part of your network. You will need to provide some setup information.

 

To install the FSSO eDirectory agent:

1. Create an account with administrator privileges and a password that does not expire. See Novell documentation for more information.

2. Log on to the account that you created in step 1.

3. Double-click the FSSO_Setup_edirectory file to start the installation wizard.

4. Select Next.

5. Read and accept the license agreement. Select Next.

6. Optionally, change the installation location. Select Next.

7. Enter:

 

eDirectory Server
 

Server Address                            Enter the IP address of the eDirectory server.

Use secure connection (SSL)       Select to connect to the eDirectory server using SSL security.
Search Base DN                          Enter the base Distinguished Name for the user search.

 

eDirectory Authentication

Username                                   Enter a username that has access to the eDirectory, using LDAP format.

User password                           Enter the password.

8. Select Next.

9. Select Install. When the installation completes, select Finish.

 

Updating FSSO agents on Windows AD

After FSSO is installed on your network, you may want to upgrade to a newer version. The following procedure helps ensure you have a trouble free upgrade. How you update FSSO depends on if you are using polling mode or DCAgent mode.

For polling mode, since there are no DC agents you only need to upgrade the Collector. However in DCAgent mode, each DC Agent must be updated as well.

 

To update FSSO in DC Agent mode:

1. Go to the system32 directory on all DC’s and rename the dll file to dcagent.dll.old.

This ensures the when the upgrade is pushed to the DC it does not overwrite the old file. If there are any problems this makes it easy to revert to the old version.

2. Run the FSSO setup .exe file to update the collector. When this is completed, ignore any reboot message.

3. Go to Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent and push the DC agent out to all servers. All DC’s will now need to be rebooted so that the new DLL file is loaded.

4. After the reboot, go to all DC’s and delete the dll.old files.

 

FSSO for Novell eDirectory

FSSO for Novell eDirectory

FSSO in a Novell eDirectory environment works similar to the FSSO Polling mode in the Windows AD environment. The eDirectory agent polls the eDirectory servers for user logon information and forwards the information to the FortiGate unit. There is no need for the Collector agent.

When a user logs on at a workstation, FSSO:

  • detects the logon event by polling the eDirectory server and records the IP address and user ID,
  • looks up in the eDirectory which groups this user belongs to,
  • sends the IP address and user groups information to the FortiGate unit.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed.

FSSO is supported on the Novell E-Directory 8.8 operating system.

For a Novell network, there is only one FSSO component to install — the eDirectory agent. In some cases, you also need to install the Novell Client.

FSSO security issues

When the different components of FSSO are communicating there are some inherent security features. FSSO installation requires an account with network admin privileges. The security inherent in these types of accounts helps ensure access to FSSO configurations is not tampered with.

User passwords are never sent between FSSO components. The information that is sent is information to identify a user including the username, group or groups, and IP address.

NTLM uses base-64 encoded packets, and uses a unique randomly generated challenge nonce to avoid sending user information and password between the client and the server.