Skip to main content
myrdin
myrdin
New Member
August 4, 2017
Question

FSSO and TS/Citrix Best practices and experiences

  • August 4, 2017
  • 1 reply
  • 21377 views

Hi, 

 

recently moved on 5.6 and it is a huge improvement from 5.4 I am actually getting use to the new GUI!.

 

The objective of this thread is to collect real life experience on FSSO implementation so to give people that google how to configure FSSO, some updated information on how to practically do it. Fortinet support seems not to have a clear idea on how to do that, and every support tech that you call will have a different answer (someone says WMI is the way, someone says agent mode is the ONLY way)

 

What i know so far:

 

- When TS/Citrix environment are in use, YOU HAVE TO use the TSagent. Even if polling mode works, it will apparently log the last user logged in and associate with that particular host IP. Next user that logs in will override the last user in the logs: new user will appear, previous user will disappear.

 

What i DO NOT know:

 

- in FSSO configuration, you can only reference one LDAP. But i'd like to reference two from the same FSSO for HA purposes, can this be done?

- what is the best way to intercept MACs (as in Apple laptops) that have the AD integration connector thing

 

What i think is at current stage (with 5.6) the best way to implement FSSO:

 

- Install collector agent somewhere on a member server

- Deploy DC agents on ALL DCs and restart DCs, send collector agent

- Deploy TSAgents on ALL TS/Citrix servers and restart, send to collector agent

- Config LDAP server

- Config FSSO and point to the collector agent IP and reference the configured LDAP(s?).

 

Is this the right/best way to get to the closest 100% accuracy? What is your experience on the matter?

 

thanks

    1 reply

    Philippe_Gagne
    Philippe_Gagne
    New Member
    August 4, 2017

    Hi,

     

    About the LDAP. You can have two LDAP servers in the same configuration. You have to do it in CLI.

     

    config user ldap

    edit LDAP

    set server "192.168.1.1"

    ser secondary-server "192.168.1.2"

    next

    end

     

    From there, you will be able to use only one LDAP configuration in FSSO. LDAP redundancy done!

     

    FSSO, I suggest installation of two collectors. It can be install on DC. In the Fortigate configuration, you will add the IP of collectors in the same FSSO configuration. In CLI, it looks like:

     

    config user fsso

    edit FSSO

     set server 192.168.1.1

     set password fortinet

     set server2 192.168.1.2

     set password2 fortinet

     set ldap-server "LDAP"

    next

    end

     

    For TS/CITRIX: yes, you have install TSAgent on all of them. You already said it. You have to configure it to send logs to both collectors. 

     

    From there, I think everything should work fine! You were close! :)

     

    Philippe

     

    myrdin
    myrdinAuthor
    New Member
    August 7, 2017

    Thanks Philippe this is great!

     

    So is this the actual suggested/recommended way to set up FSSO by Fortinet? I cannot seem to get a consistent answer from support. 

     

    Thanks again

     

     

    Philippe_Gagne
    Philippe_Gagne
    New Member
    August 7, 2017

    Hi,

     

    You're welcome! :)

     

    In the NSE4 course, Fortinet talks about agent mode and polling mode. I prefer agent mode because in massive login hours (like 8:00AM, when everybody start there working day!), I'm sure collectors will not miss any login events. I have a customer who manage around 800 users on three Active Directory domains, it works like a charm! 

     

    Mobile users can be a challenge when they switch between wired and wireless connectivity on the network. No login event will be sent/shown in Security Event logs on the DCs. NTLM can help, but it can takes few minutes the grant back there specific access. Or, you can use "Mobile agent" with FortiClient. I think you need EMS and Mobile license in the fortigates.

     

    Other challenge, have a TAC case open on this one: RDP connections take precedence on local login. I explain: I got a computer where a user have restricted access to Internet, I'm logging to TS with an admin account that have full access on Internet... local computer will have the same rights for the time this RDP session is open. DC Agent see an event "MSV1_0" from the local computer an assign the login seen to this IP.  I can let you know the result if needed! :)

     

    Have a nice day!

     

    Philippe

     

    Terms & ConditionsAccessibility statement