FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
In_HLee
Staff
Staff
Article Id 260140
Description

This article describes how to install a FortiPAM agent on a SSOMA device.

Scope FortiClient SSOMA + FortiPAM agent 7.2.1.
Solution

It is necessary to separately purchase FortiClient single sign on mobility agent (SSOMA) licenses for use of SSO features with FortiAuthenticator. Most key private access management (PAM) features require the FortiClient PAM agent. 7.2.1 adds support for installing SSOMA and FortiPAM agent on the same device.

 

Use one of the following methods to install FortiPAM and SSOMA on the same device. These same methods can also be used to upgrade an existing SSOMA-only or FortiPAM-only endpoint to include both features:

- Method 1: Install FortiPAM, export and edit the configuration file to include the SSOMA configuration, and reimport the configuration file.

- Method 2: Install and run the SSO configuration tool file to create new installer files, and run the installers to install or upgrade the FortiClient PAM agent.

 

To use Method 1:

1) Install FortiPAM using an installer.

2) In Command Prompt, go to the FortiClient directory.

3) Export the configuration file using the following command: FCConfig.exe -o export -f C:\config.conf -p 11111111

4) Edit the configuration file and add the SSOMA configuration. Confirm that the FortiPAM default port is configured as 9191. The following provides an example:

 

<forticlient_configuration>
<fssoma>
<enabled>1</enabled>
<serveraddress>fac0824.test.local:8001</serveraddress>
<presharedkey>
<![CDATA[Fortinet123!]]>
</presharedkey>
<address_category>0</address_category>
</fssoma>
<pam>
<enabled>1</enabled>
<default_port>9191</default_port>
</pam>
</forticlient_configuration>

 

5) Save the configuration file.

6) In the Command Prompt, go to the FortiClient directory. Import the configuration file using the following command:

 

FCConfig.exe -o import -f C:\config.conf -p 11111111

 

7) Verify the configuration:

1) Log in to the endpoint as a domain user.

2) In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

 

FAC SSO monitor.PNG

 

3) In FortiPAM, confirm access to a secret created in FortiPAM.

 

FortiPAM secret.png

 

To use Method 2:

1) Acquire and unzip the FortiClientSSOConfigurationTool_7.2.1.XXXX.zip file.

2) Run the FortiClientSSOConfigurator.

3) In the Single Sign-On Mobility Agent Settings dialog, configure SSOMA as per any particular deployment needs.

4) Enable Include PAM. In the PAM Port field, enter 9191. Select Next. This creates a new folder, which includes x64 and x86 bit installer files.

5) Open Command Prompt as an administrator, and run the following command to run the installer:

 

msiexec /i FortiClientSSO.msi TRANSFORMS=FortiClientSSO.mst\

 

6) Verify the configuration:

1) Log in to the endpoint as a domain user.

2) In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is functioning.

 

FAC SSO monitor.PNG

 

3) In FortiPAM, confirm access to a secret created in FortiPAM.

 

FortiPAM secret.png

Contributors