Technical TIp: Enable a secure connection between an FSSO TS-Agent and an FSSO Collector Agent

jfelix09 · ‎08-22-2024

Description	This article describes how to secure the connection between a TS-Agent and an FSSO-Collector Agent (Windows and FortiAuthenticator).
Scope	TS-Agent and FSSO Collector Agent, FortiGate, FortiAnalyzer.
Solution	This article describes how to secure the connection between the FSSO TS-Agent and the FSSO Collector Agent. The FSSO TS-Agent will authenticate against the Collector Agent using TLS with a pre-shared key (PSK). This PSK should be known by both client (FSSO TS-Agent) and server (Collector Agent). In the FSSO-CA configurator tool, check the 'Enable SSL' box and set the 'preshared key'. It is also possible to configure the SSL port (by default, FSSO-CA will be listening on TCP/8003). After, select 'Apply' to save the configuration. In the FSSO TS-Agent configurator tool, select the FSSO CA IP address and port, check the 'Secure connection' box, and set the same pre-shared key used in the FSSO CA configurator tool. Select 'Apply' to save the settings. If keepalive messages or login information are not showing under the FSSO Collector Agent -> Show Monitored DCs, it may indicate that the TCP or TLS handshake didn't happen correctly. Check if the FSSO Collector agent is listening on the right TCP port (In the Windows Command line, run 'netstat -ano \| findstr <PORT>' and change <PORT> to the configured port). Check if traffic from the TS-Agent to FSSO CA is allowed via TCP/8003 (default port). Check a packet capture to confirm the TCP and TLS handshake. A TLS error will be shown during the negotiation if the pre-shared key does not match.