Skip to main content
mturic
Staff & Editor
mturic
Staff & Editor
August 12, 2019

Technical Tip: How to setup TS-Agent configuration

  • August 12, 2019
  • 0 replies
  • 58697 views

Description


This article describes how to configure the TS-Agent, which seamlessly allows multiple user connections simultaneously, allowing restricted access based on user credentials.

 

The TS-Agent is a Terminal Services FSSO Agent that allows user authentication based on source port ranges assigned to each authenticated user, unlike DC-Agent or FSSO polling mode, which are IP-based authentication.

 

The TS-Agent can be installed on a Citrix, VMware Horizon v7.4, or Windows Terminal Server (Such as a jump server) to monitor user logons in real time.


Scope


For Fortinet Single Sign On (FSSO) TS-Agent.

Solution


Download the 'TSAgent_Setup- .exe' or '-msi package' from the support portals download section.
It is located in the FSSO directory within the FortiGate firmware downloads.


The installation of it is as follows:

 
 
 
 
 
After the TS-Agent has been installed, the option to set the following parameters, such as port ranges and the number of port ranges per user, is proposed.

The secure communication option is only available for use with FortiAuthenticator and not with FSSO CA. 
If Secure communication is used, make sure the firewall allows TCP port 8002; if unsecured communication, UDP port 8002. 
  

 

Verifying TS-Agent users on the collector agent.
 
 
Logon user list on the collector agent.
 
 

Note that by default, both TS-Agent and EventLog/DC-Agent types of logon events will be seen, which in some environments can cause undesired authentication issues.
When a user logs into a terminal server with a TS Agent installed, this typically generates two FSSO sessions:

  • One session with an IP and a port-range (sourced from the TS Agent).
  • One standard session for the whole IP, no port ranges (sourced from event log polling/DC Agent/NetAPI).


To ensure correct authentication, all terminal server IP addresses need to be added in the Collector Agent’s registry key dc_agent_ignore_ip_list:


HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
 
  • Value name: 'dc_agent_ignore_ip_list'.
    Value data: semicolon-separated list of IPs for the Collector Agent to ignore.
This will drop non-TS-Agent FSSO sessions for those IPs (event log polling, DC Agent, NetAPI).
 
Verifying FortiGate user Auth list and Session List:
 
 
diagnose debug  authd fsso list | grep USER1

IP: 172.31.128.12  User: USER1  Groups: CN=USER1,CN=USERS,DC=HARSHAVARDHAN,DC=COM+CN=ATTACKERS,CN=USERS,DC=HARSHAVARDHAN, DC=COM  Workstation: 172.31.128.12!HARSHAVARDHAN!0000000          
MemberOf: Admin Tsagent Domain Users- FSSO Session ID: 1 Port Range(2): 1024-1223 1224-1423
Session List:
session info: proto=6 proto_state=01 duration=565 expire=3577 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER1 auth_server=FSSO Agent state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=4079/35/1 reply=4958/41/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.40.63.254/172.31.128.12
hook=post dir=org act=snat 172.31.128.12:1087->172.217.194.189:443(10.40.48.17:61503)
hook=pre dir=reply act=dnat 172.217.194.189:443->10.40.48.17:61503(172.31.128.12:1087)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 auth_info=6 chk_client_info=0 vd=0
serial=01f5964d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0total
session 1
 
Verify the results with the following command:
 
diagnose firewall auth list | grep USER1
 
Compared with the FSSO user information from the DC-agent mode or the Polling mode, the FSSO user information originated from the TS-agent mode contains extra information, which is the port-range allocated to the user by the Terminal Server. This is an important factor when matching the firewall policy.
 
When the FortiGate is doing the group matching in the firewall policy for the incoming traffic, it will not only match the FSSO group information, but also the source port of the traffic. Only the traffic in the correct source port-range of this user can match the policy. 
 
10.30.2.78, GZHONG3
type: fsso_citrix, id: 1, duration: 195, idled: 12
server: FSSO
packets: in 132 out 122, bytes: in 65109 out 45259
group_id: 33554458 33554437 33554485
group_name: CN=DOMAIN USERS,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=TESTGROUP,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=USERS,CN=BUILTIN,DC=SYD,DC=FORTILABAPAC,DC=LAB
port_range: (1024-1223)
 
This is important when end-user machines have any endpoint solutions or components, such as Digital Guardian Web Inspection Proxy, running on them. These solutions can change the source port of the original traffic before forwarding it to the Fortigate.
If the new source port does not match the assigned source port range, FortiGate will not be able to match the traffic with the configured identity-based policy and will drop it due to the default deny policy.
 
It can be verified by visiting Logs & Report -> Forward Traffic or debug flow captures (see debugging the packet flow) for the client machine's IP.
 
Note that traffic with no ports, such as ICMP or DNS, or traffic generated by applications like SMB, which does not use the user port-range assigned by the TS Agent, will NOT match with the identity-based policy. As a result, the traffic will be dropped by FortiGate. The TS Agent can only intercept traffic initiated by a user process. Thus, it is recommended to configure a separate firewall policy for this traffic without FSSO group matching.
 
Refer to this article if TS Agent FSSO users are facing problems with DNS resolution: Technical Tip: TS Agent FSSO users are not able to resolve DNS.
 
Note:
Installing the TS Agent from other vendors together with the Fortinet TS Agent on the same server can cause service/port conflicts, leading to unexpected problems and failures. This coexistence is not supported nor recommended.

 

Related articles:

Technical Tip: Excluding IP addresses from FSSO logon events

Technical Tip: Terminal Server Agents and SMB Shared Folders

Technical Tip: FSSO TS-Agent troubleshooting steps

    Terms & ConditionsAccessibility statement