FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff
Staff
Article Id 298044
Description

 

This article describes detailed installation steps for a standalone FSSO Mobility Agent.

 

Scope

 

FortiClient, FSSO Mobility Agent.

 

Solution

 

FortiClient offers an FSSO mobility agent as part of its feature set.
The FSSO mobility agent is able to report user logins to FortiAuthenticator, and FortiAuthenticator can then turn those logins into FSSO sessions.
This feature is included in the full FortiClient version, and in the free VPN-only FortiClient (starting from firmware 7.0.3)

There is also a standalone FSSO mobility agent (without any other FortiClient features) available; the archive with the installer will typically be called something like 'FortiClientSSOSetup[...]'.

Note that FSSO Mobility Agent will install on, but will not run properly on, any non-domain-joined workstation; it will simply log an error that domain name could not be read.

 

1. Download the standalone FSSO mobility agent.


The standalone version is located in the firmware download section available in support.fortinet.com, under FortiClient.
The various Windows firmware versions will also contain a FortiClientSSOSetup_[version].zip file, which contains the actual FSSO Mobility Agent installer.
Download this in the desired firmware version.
For compatibility, refer to the FortiAuthenticator release notes.

 

FSSOMA1.PNG

 

2. Unpack the FSSO Mobility Agent.


Unpacking the downloaded archive will yield an installer file named 'FortiClientSSO.msi'.

 

3. Installing the Mobility Agent.


As the mobility agent is an .msi file, it can technically be installed by just executing it.
However, this leads to an installation with no parameters, meaning the FSSO Mobility Agent does not know how to contact the FortiAuthenticator.
To this end, there are installation parameters which can be used in PowerShell when installing the mobility agent:
SSOSERVER="<IP or hostname of FortiAuthenticator>"
SSOPORT="<FSSO Mobility Agent port; 8001 by default>"
SSOPSK="<preshared key to connect to FortiAuthenticator>"

In addition, regular msiexec parameters may be used; what those are, as well as how to use them, may be found in Microsoft documentation.

 

An example installation:

 

  1. Start up PowerShell with administrator privileges.
  2. Navigate to the folder with the unpacked installer.
  3. Run the following in PowerShell:


msiexec /i FortiClientSSO.msi SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"


This starts up an installation dialogue (requiring accepting Terms and Conditions, and confirming installation).

 

Note: Several FortiAuthenticators may be specified in this format: SSOSERVER='server1:port1,server2:port2'.

 

After this has progressed, the FSSO Mobility Agent will be installed and will try to contact FortiAuthenticator immediately.

 

FSSOMA2.PNG

 

An alternative installation:


msiexec /i FortiClientSSO.msi /qn SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"

 

Adding /qn causes the installation to be quiet and not require any user input.

 

As the installer is an .msi file, it may be distributed via Group Policies in a Windows AD environment.

 

4. Verifying the Mobility Agent installation:


Once the Mobility Agent is installed, the following should exist in the operating system:

  • A 'FortiClient' folder under /Program Files/Fortinet/.
    • This may contain a folder 'logs', which contains *.dat files that the Mobility Agent writes its logs to.
    • These logs (SQLlite databases) can be useful in troubleshooting.
  • Some registry keys in 'HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSOMA':
    • The key 'serveraddress' should contain the server IP or FQDN from the installation parameter, along with the port.
    • The 'enabled' and 'installed' registry keys should be set to 1.
  • A service called "Fortinet Mobility Agent Service Scheduler"

 

The Mobility Agent will also start sending traffic to FortiAuthenticator; using wireshark (or sniffing traffic on a gateway in between) will show traffic to the FortiAuthenticator IP on the configured port roughly every 10 minutes

 

Note:

Adding a 'prefer_azure registry' key, set to 1 to registry location \Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSOMA lets FSSOMA detect Azure/EntraID user information.

 

5. Uninstalling the FSSO Mobility Agent.

 

If necessary, this can be done in the same manner as installation:

  1. Start up PowerShell with administrator privileges.
  2. Navigate to the folder with the unpacked installer.
  3. Run the following in PowerShell:


msiexec /x FortiClientSSO.msi

 

Note that uninstalling the Mobility Agent will require a reboot to complete properly.