Skip to main content
fjulianom
fjulianom
Explorer II
February 26, 2018
Solved

FSSO and Windows Server DNS

  • February 26, 2018
  • 1 reply
  • 17754 views

Hi experts,

 

I am troubleshooting an issue with FSSO and usernames, and I realized that the customer's DNS where the FSSO is installed is a mess, some workstations with 2 IPs (2 A records), others with 6 IPs, and most of them with wrong IP addresses (wrong A records). I would like to know if this is the main thing I have to troubleshoot, or if this is the repository where the collector agent is fed to link usernames and IP addresses. Please can you confirm?

 

Regards,

Julián

    Best answer by Fishbone_FTNT

    Hi Julian, DNS workstation resolution is absolutely critical for FSSO. If forward entries are wrong, so will be FSSO logons. Basically workstation name in logon list is periodically rechecked (forward DNS), based on "IP verification interval" setting in FSSO CA list. It's a separate thread doing just this.

     

    Fishbone)(

    1 reply

    Fishbone_FTNT
    Staff
    Fishbone_FTNTAnswer
    Staff
    February 26, 2018

    Hi Julian, DNS workstation resolution is absolutely critical for FSSO. If forward entries are wrong, so will be FSSO logons. Basically workstation name in logon list is periodically rechecked (forward DNS), based on "IP verification interval" setting in FSSO CA list. It's a separate thread doing just this.

     

    Fishbone)(

    fjulianom
    fjulianomAuthor
    Explorer II
    February 28, 2018

    Hi Fishbone,

     

    Thanks for your interest. Two more question about this:

     

    1. How does the collector agent know the IP address of the username? I know the collector agents uses a DNS server to associate usernames with IP addresses, but the DNS server has workstations and IP addresses and not usernames.

     

    2. What happens when there are multiple A records of different dates for the same IP address? What A record does the collector agent use? The newest one? The first one it finds?

     

    Regards,

    Julián

    Fishbone_FTNT
    Staff
    Fishbone_FTNT
    Staff
    March 1, 2018

    Hi Julian, > How does the collector agent know the IP address of the username?

    First of all, collector gets logon info from a) DCAgent/TSAgent or b) from poller thread, polling DC directly for logon events from security event log. Collector remembers as the key component the workstation name and username logged on it. This is very important concept of FSSO CA, and FSSO generally.  One workstation can be associated to up to 4 IP addresses at once.

     

    IP check thread:

    Workstation is being periodically resolved, to get IP addresses of that workstation. All changes detected are immediately reflected in logon list on FSSO CA, and of course also on all FSSO clients connected - FortiGates.

     

    Workstation check thread:

    To keep track if the user is still logged on, we have separated thread in FSSO CA. It also iterates the logon list, and attempts to connect to all workstations in it. It uses WMI or RRA. If it succeeds to connect and user is there, FSSO CA maintains the workstation's status OK (it is satisfactory to connect to single IP address belinging to workstation to claim all IP addresses of that workstation OK). If it can't connect, workstation status transits to 'Not Verified'. In this state takes "Dead entry timeout interval" to remove workstation from logon list.

     

    > What happens when there are multiple A records of different dates for the same IP address?

     

    If one DNS A entry points to the same IP address as the other, it could be problem, and I think logon will be removed from previously learned workstation in favor of the new one.

    This is however generally the problem on DNS side, such a situation should not happen to workstations.

     

    Fishbone)(

    Terms & ConditionsAccessibility statement