Configuring the FSSO Collector agent for Windows AD

To configure the Collector agent:

1. From the Start menu, select Programs > Fortinet > Fortinet Single Sign-On

Agent > Configure Fortinet Single Sign-On Agent.

2. Enter the following information.

 

Monitoring user logon events       By default, this is enabled to automatically authenticate users as they log on to the Windows domain. Disable the Monitor feature only if you have a large network where this feature will slow responses too much.

Support NTLM authentication       By default, this is enabled to facilitate logon of users who are con- nected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons.

Collector Agent Status                   Shows RUNNING when Collector agent is active.

Listening ports                                You can change FSSO Collector Agent related port numbers if neces- sary.

FortiGate                          TCP port for FortiGate units. Default 8000.

DC Agent                         UDP port for DC Agents. Default 8002.

Logging

Log level                          Select the minimum severity level of logged messages.

Log file size limit (MB)

Enter the maximum size for the log file in MB. Default is 10.

View Log                          View all Fortinet Single Sign On agent logs.

Log logon events in separate logs

Record user login-related information separately from other logs. The information in this log includes:

  • data received from DC agents
  • user logon/logoff information
  • workstation IP change information
  • data sent to FortiGate units

View Logon Events        If Log logon events in separate logs is enabled, you can view user login-related information.

Authentication

Require authenticated connection from FortiGate

Select to require the FortiGate unit to authenticate before connecting to the Collector agent.

Password                         Enter the password that FortiGate units must use to authenticate. The maximum password length is 16 characters. The default password is “fortinetcanada”. It is highly recommended to modify this password.

Timers

Workstation verify interval (minutes)

Enter the interval in minutes at which the Fortinet Single Sign On Col- lector agent connects to client computers to determine whether the user is still logged on. The default is every 5 minutes. The interval may be increased if your network has too much traffic.

 

Note: This verification process creates security log entries on the client computer.

If ports 139 or 445 cannot be opened on your network, set the interval to 0 to prevent checking. See Configuring FSSO ports on page 575.

 

Dead entry timeout interval

Enter the interval in minutes after which Fortinet Single Sign On Agent purges information for user logons that it cannot verify. The default is 480 minutes (8 hours).

Dead entries usually occur because the computer is unreachable (such as in standby mode or disconnected) but the user has not logged off. A common reason for this is when users forget to logoff before leaving the office for the day.

You can also prevent dead entry checking by setting the interval to 0.

 

IP address change verify interval

Fortinet Single Sign On Agent periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change. IP address verification prevents users from being locked out if they change IP addresses, as may happen with DHCP assigned addresses.

Enter the verification interval in seconds. The default is 60 seconds. You can enter 0 to prevent IP address checking if you use static IP addresses.

This does not apply to users authenticated through NTLM.

 

Cache user group lookup res- ult

Enable caching.

Caching can reduce group lookups and increase performance.

 

Cache expire in (minutes)

Fortinet Single Sign On Agent caches group information for logged-in users.

Enter the duration in minutes after which the cache entry expires. If you enter 0, the cache never expires.

A long cache expire interval may result in more stale user group inform- ation. This can be an issue when a user’s group information is changed.

 

Clear Group Cache         Clear group information of logged-in users.

This affects all logged-in users, and may force them to re-logon.

3. You can select Save&Close now or leave the agent configuration window open to complete additional configuration in the following sections.

 

To view the version and build number information for your FSSO Collector Agent con- figuration, selecting the Fortinet icon in the upper left corner of the Collector agent Configuration screen and select About Fortinet Single Sign On Agent con- figuration.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Configuring the FSSO Collector agent for Windows AD

  1. Khan

    hello,
    the domain controller on which fsso agent is installed could be in any vlan forexample, fortigate firewall is vlan 60 and DC on which agent is installed in vlan 50 and intervlan routing is enables we can ping the firewall from the domain controller but in this setup of different vlan the fsso agent should work with fortigate without any problem because there is L3 communication between them. i have issue the collector agent doesn’t track the domain logon users and ipv4 policy in fortigate based on fsso agent groups is not working and i cant keep both agent and firewall in same vlan they are in different vlans but this shouldnt be an issue. please advise as i am tired of debugging and fortigate TAC is also not taking this issue serious. if anyone could help please…
    Regards

    Reply
  2. Lee

    Hi Khan

    FGT connect to FFSO agent via TCP port 8000 by default. As long as you allow traffic from vlan60 to vlan 50 with this port, the communication should be established

    You can verify server status via CLI commands

    FGT-VM-ESX-Router # diagnose debug enable
    FGT-VM-ESX-Router # diagnose debug authd fsso server-status
    FGT-VM-ESX-Router #
    Server Name Connection Status Version
    ———– —————– ——-
    FSSO connected FSAE server 1.1

    Hth

    Lee

    Reply
  3. Nuno

    Hi,

    I´m having this issue, on my fortigate de SSO Server is disconnected and on FSSO Agent there are 0 fortigate connected. I already configured the LDAP Server and it´s working . Does anyone have any idea?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.