Technical Tip: Configuring the FSSO collector agent on the Windows server core
Description
The Windows Server Core is a minimal installation option that is available when installing the standard or datacenter editions of Windows Server.
By design, the server core does not have a traditional desktop interface.
Instead, the server core is designed to be managed remotely through the command line, PowerShell, or a special GUI tool, which means that the usual GUI configuration of the FSSO collector agent is not possible.
This article describes how to configure the FSSO Collector agent on Windows Server Core.
Scope
FortiGate.
Solution
Every FortiOS firmware version specifies the minimum FSSO version needed in its release notes, as well as the supported operating systems for FSSO installation.
Verify if the FSSO version is compatible with or supports the Windows server core version.
The following official document provides a complete list of supported Windows Server Core versions: Product integration and support.
The latest supported Windows Server Core version is Windows Server 2019 Core.
After installing the collector agent via the installation wizard, it is necessary to configure it.
The usual GUI method runs the FSAEConfig.exe, but in a server core environment, it is necessary to perform all configuration directly in the registry.
The FSSO collector agent has to be listed in the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
Note:
For options not explicitly specified in the following table, the standard registry binary values of 0 (False/disabled) and 1 (True/enabled) apply.
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent]
"supportLogonMonitor"=dword:00000001
"admode"=dword:00000001
"supportNTLMauth"=dword:00000001
"domain_list"="TEST:test.local"
"ep_eventid_list"="2"
"supportFSAEauth"=dword:00000000
"supportLogonMonitorType"=dword:00010001
"pushIgnoreListToDC"=dword:00000001
"verifyIP"=dword:00000000
"ep_gobackhours"=dword:00000000
"directDNSlookup"=dword:00000001
"callgethostbyname"=dword:00000001
"DNSlookupinterval"=dword:0000000f
"grouplookupinterval"=dword:00000000
"checkinterval"=dword:0000003c
"timeoutinterval"=dword:00000078
"workerthreadcount"=dword:00000080
"use_groupcache"=dword:00000000
"max_FGT_session"=dword:00000040
"GroupCacheExpiration"=dword:0000003c
"log_level"=dword:00000001
"log_level_event"=dword:00000000
"log_size"=dword:00a00000
"dcagentport"=dword:00001f42
"enableauth"=dword:00000001
"fortigateport"=dword:00001f40
"fortigatesslport"=dword:00001f41
"dc_agent_ignore_ip_list"=""
"version"="5.0.0278"
"password_new"="**********"
"enable_ssoma"=dword:00000000
"workstation_in_logon_session"=dword:00000000
"wmi_logoff_check"=dword:00000001
"enable_deadthread_detect"=dword:00000000
"tsagent_alive_check"=dword:00000000
"InstallDir"="C:\\Program Files (x86)\\Fortinet\\FSAE"
"host"="10.0.0.10"
"uninstallDCAgent"=dword:00000001
"dc_list"="TEST/DC02.test.local;TEST/DC01.test.local"
"ad_port"=dword:00000cc4
"ad_server"="DC01.mt-test.local"
"ad_baseDN"="DC=mt-test,DC=local"
"ad_authuser"="service_fssouser"
"ad_passwd_new"="**********"
"ad_secureconnection"=dword:00000000
"DNS_list"="10.0.0.10"
"disable_rdp_override"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\Filter
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\Filter]
"ignore_users"="TEST\\admin_*;TEST\\Administrator;TEST\\service*;TEST\\srv_*"
"groups"="CN=Domain Users,CN=Users,DC=test,DC=local"
PS C:\Users\Administrator> netsh advfirewall firewall show rule name="Fortinet FSSO"
Rule Name: Fortinet FSSO
----------------------------------------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: 8000
RemotePort: Any
Edge traversal: No
Action: Allow
Ok.
netstat -ano | findstr :8000