Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎02-06-2024 08:40 AM Edited on ‎10-14-2025 05:13 AM By Community Manager

Article Id 298044

Technical Tip: How to install a standalone Windows FSSO Mobility Agent

Description

 

This article describes detailed installation steps for a standalone FSSO Mobility Agent.

 

Scope

 

FortiClient, FSSO Mobility Agent.

 

Solution

 

FortiClient offers an FSSO mobility agent as part of its feature set.
The FSSO mobility agent can report user logins to FortiAuthenticator, and FortiAuthenticator can then turn those logins into FSSO sessions.


This feature is included in the full FortiClient version and the free VPN-only FortiClient (starting from firmware v7.0.3).

There is also a standalone FSSO mobility agent (without any other FortiClient features) available; the archive with the installer will typically be called something like 'FortiClientSSOSetup[...]'.

 

Note that the FSSO Mobility Agent will install on, but will not run properly on any non-domain-joined workstation; it will simply log an error that the domain name could not be read.

 

  1. Download the standalone FSSO mobility agent.

The standalone version is located in the firmware download section available on support.fortinet.com, under FortiClient.
The various Windows firmware versions will also contain a FortiClientSSOSetup_[version].zip file, which contains the actual FSSO Mobility Agent installer.
Download this in the desired firmware version.
For compatibility, refer to the FortiAuthenticator release notes.

 

FSSOMA1.PNG

 

  1. Unpack the FSSO Mobility Agent.

Unpacking the downloaded archive will yield an installer file named 'FortiClientSSO.msi'.

 

 

  1. Installing the Mobility Agent.

As the mobility agent is a .msi file, it can technically be installed by just executing it.
However, this leads to an installation with no parameters, meaning the FSSO Mobility Agent does not know how to contact the FortiAuthenticator.


To this end, there are installation parameters that can be used in PowerShell when installing the mobility agent:


SSOSERVER="<IP or hostname of FortiAuthenticator>"
SSOPORT="<FSSO Mobility Agent port; 8001 by default>"
SSOPSK="<preshared key to connect to FortiAuthenticator>"

 

In addition, regular msiexec parameters may be used; what those are, as well as how to use them, may be found in Microsoft documentation.

 

An example installation:

 

  1. Start up PowerShell with administrator privileges.
  2. Navigate to the folder with the unpacked installer.
  3. Run the following in PowerShell:


msiexec /i FortiClientSSO.msi SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"


This starts up an installation dialogue (requiring accepting Terms and Conditions and confirming installation).

 

Note: Several FortiAuthenticators may be specified in this format: SSOSERVER='server1:port1,server2:port2'.

 

After this has progressed, the FSSO Mobility Agent will be installed and will try to contact FortiAuthenticator immediately.

 

FSSOMA2.PNG

 

An alternative installation:


msiexec /i FortiClientSSO.msi /qn SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"

 

Adding /qn causes the installation to be quiet and does not require any user input.

 

As the installer is a .msi file, it may be distributed via Group Policies in a Windows AD environment.

 

Note: The double quote (") and semicolon (;) are reserved symbols in MSI installations and therefore cannot be used in the SSOPSK.

 

In scenarios where the SSOPSK contains non-ASCII or special characters (e.g., !#$%&'()*+,-./:<=>?@[]^_`{|}~), the standalone FSSO Mobility Agent should be installed via a batch file following the steps below:

 

• Open Notepad++, go to File → New, and paste the following commands:

 

chcp 65001
msiexec /i FortiClientSSO.msi SSOSERVER="<FAC-IP/Hostname>" SSOPORT="<SSOPORT>" SSOPSK="<PSK-special-chars>" /L*vx! install.log

 

• Replace <FAC-IP/Hostname>, <SSOPORT>, and <PSK-special-chars> with actual values.
• In Notepad++, go to Encoding → UTF-8.
• Then go to File → Save As, navigate to the folder where you extracted FortiClientSSOSetup_x.x.x.Build_x64, specify a file name, and set Save as type to Batch file from the drop-down list.
• Make sure the FortiClientSSOSetup_x.x.x.Build_x64 folder contains both FortiClientSSO.msi and the batch file just created.
• Open PowerShell in Administrator mode, navigate to the folder containing FortiClientSSOSetup_x.x.x.Build_x64, and run the batch file using the command:


.\<batch-file-name>.bat

 

In batch files, a single percentage sign (%) is reserved for referencing variables (e.g., %variable_name%) or command-line arguments (e.g., %1, %2). To include an actual percentage sign in a batch file, a double percentage sign (%%) must be used.

For example, SSOPSK test%12345 should be written as test%%12345 in the batch file.

 

  1. Verifying the Mobility Agent installation:

Once the Mobility Agent is installed, the following should exist in the operating system:

  • A 'FortiClient' folder under /Program Files/Fortinet/.
    • This may contain a folder 'logs', which contains *.dat files that the Mobility Agent writes its logs to.
    • These logs (SQLlite databases) can be useful in troubleshooting.
  • Some registry keys in 'HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSOMA':
    • The key 'serveraddress' should contain the server IP or FQDN from the installation parameter, along with the port.
    • The 'enabled' and 'installed' registry keys should be set to 1.
  • A service called 'Fortinet Mobility Agent Service Scheduler'.

 

The Mobility Agent will also start sending traffic to FortiAuthenticator; using Wireshark (or sniffing traffic on a gateway in between) will show traffic to the FortiAuthenticator IP on the configured port roughly every 10 minutes.

 

Note:

If Mobility Agent is used on a native Entra ID-joined workstation, a specific registry key is required:

Add a 'prefer_azure' registry key (type DWORD) to this location:

 

\Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSOMA


Set the key to value 1.

This allows the mobility agent to detect Azure/Entra ID user information properly. This same registry key can also be used for FortiClient VPN (free) versions; for paid versions, the setting can be pushed from EMS as part of the XML configuration file.

 

  1. Uninstalling the FSSO Mobility Agent.

If necessary, this can be done in the same manner as installation:

 

  1. Start up PowerShell with administrator privileges.
  2. Navigate to the folder with the unpacked installer.
  3. Run the following in PowerShell:


msiexec /x FortiClientSSO.msi

 

Note that uninstalling the Mobility Agent will require a reboot to complete properly.

8257
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.