Created on 02-06-2024 08:40 AM Edited on 05-23-2024 07:07 AM By Stephen_G
This article describes detailed installation steps for a standalone FSSO Mobility Agent.
FortiClient, FSSO Mobility Agent.
FortiClient offers an FSSO mobility agent as part of its feature set.
The FSSO mobility agent is able to report user logins to FortiAuthenticator, and FortiAuthenticator can then turn those logins into FSSO sessions.
This feature is included in the full FortiClient version, and in the free VPN-only FortiClient (starting from firmware 7.0.3)
There is also a standalone FSSO mobility agent (without any other FortiClient features) available; the archive with the installer will typically be called something like 'FortiClientSSOSetup[...]'.
Note that FSSO Mobility Agent will install on, but will not run properly on, any non-domain-joined workstation; it will simply log an error that domain name could not be read.
1. Download the standalone FSSO mobility agent.
The standalone version is located in the firmware download section available in support.fortinet.com, under FortiClient.
The various Windows firmware versions will also contain a FortiClientSSOSetup_[version].zip file, which contains the actual FSSO Mobility Agent installer.
Download this in the desired firmware version.
For compatibility, refer to the FortiAuthenticator release notes.
2. Unpack the FSSO Mobility Agent.
Unpacking the downloaded archive will yield an installer file named 'FortiClientSSO.msi'.
3. Installing the Mobility Agent.
As the mobility agent is an .msi file, it can technically be installed by just executing it.
However, this leads to an installation with no parameters, meaning the FSSO Mobility Agent does not know how to contact the FortiAuthenticator.
To this end, there are installation parameters which can be used in PowerShell when installing the mobility agent:
SSOSERVER="<IP or hostname of FortiAuthenticator>"
SSOPORT="<FSSO Mobility Agent port; 8001 by default>"
SSOPSK="<preshared key to connect to FortiAuthenticator>"
In addition, regular msiexec parameters may be used; what those are, as well as how to use them, may be found in Microsoft documentation.
An example installation:
msiexec /i FortiClientSSO.msi SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"
This starts up an installation dialogue (requiring accepting Terms and Conditions, and confirming installation).
Note: Several FortiAuthenticators may be specified in this format: SSOSERVER='server1:port1,server2:port2'.
After this has progressed, the FSSO Mobility Agent will be installed and will try to contact FortiAuthenticator immediately.
An alternative installation:
msiexec /i FortiClientSSO.msi /qn SSOSERVER="fac.forti.lab" SSOPORT="8001" SSOPSK="fortinet_psk1234"
Adding /qn causes the installation to be quiet and not require any user input.
As the installer is an .msi file, it may be distributed via Group Policies in a Windows AD environment.
4. Verifying the Mobility Agent installation:
Once the Mobility Agent is installed, the following should exist in the operating system:
The Mobility Agent will also start sending traffic to FortiAuthenticator; using wireshark (or sniffing traffic on a gateway in between) will show traffic to the FortiAuthenticator IP on the configured port roughly every 10 minutes
Note:
Adding a 'prefer_azure registry' key, set to 1 to registry location \Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_SSOMA lets FSSOMA detect Azure/EntraID user information.
5. Uninstalling the FSSO Mobility Agent.
If necessary, this can be done in the same manner as installation:
msiexec /x FortiClientSSO.msi
Note that uninstalling the Mobility Agent will require a reboot to complete properly.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.