FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Article Id 252994
Description

 

This article describes how to configure Fortinet Single Sign On Collector Agent (FSSO-CA) in DC Agent mode.

 

Scope

 

FSSO, FSSO CA, DC Agent.

 

Solution

 

After downloading, validating, and installing FSSO-CA is possible to configure it in DC Agent mode.

 

  • Port Requirements:

 

Inbound.
UDP/8002 – DC_Agent keepalive and push logon info to Collector Agent.
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL).
TCP/8000 – FortiGate to FSSO Collector Agent connection.
TCP/8000 – NTLM.

Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method).
TCP/445 – Workstation check (remote registry).
TCP/389 – Group lookup using LDAP.
TCP/636 – Group lookup using LDAPS.
UDP/53 – DNS for resolving hostnames of the logon events.


FSSO-CA server 
configuration:

 

  1. Open FSSO-CA:


fsso10Download1.png

 

  1. Validate Collector Agent status is in RUNNING and set up one password (take note, it will be used for FortiGate connection) and select apply to save password.


FSSOCA_DC_agent1.png

 

  1. Select 'show monitored DCs', then 'Select DC to Monitor'.


FSSOCA_DC_agent2.png

 

  1. Then select 'DC Agent mode' and select all DC servers listed down:

 

FSSOCA_DC_agent3.png

 

  1. Then select OK and DC Agent installation advice will be displayed for each DC server. 

 

FSSOCA_DC_agent4.png

 

  1. To finish the DC Agent installation a reboot for each server is required, it is possible to wait between each reboot.


FSSOCA_DC_agent5.png

 

  1. Optional. Install GUI for DC Agent:
    Technical Tip: DC Agent Graphical Interface (dc_agent GUI)

Note: Collector agent installation needs to run with an account that is a member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.


It is a temporary requirement, however, it is needed for the installation to be completed properly.

To restrict a Fortinet Single Sign On Agent Service account follow the link at the bottom.

 

Important points to keep in mind:


FortiGate Configuration.

  1. Configure Security Fabric -> External Connector -> Create New.

 

FSSOCA_FGT.png

 

  1. In Endpoint Identity -> FSSO Agent on Windows AD.


FSSOCA_FGT2.png

 

  1. Configure Name, IP/FQDN, and same password as point 2.


FSSOCA_FGT3.png
If there are two or more FSSO-CA servers installed, it is possible to add a new entry with '+', only one FSSO Connector is allowed with many FSSO-CA servers, and two or more FSSO Connector for the same domain will cause user group inconsistency.


For user group sources, use 'Collector Agent' for Standard, or 'Local' for Advanced:
Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode

 

  1. FSSO connector must show connected in green color and if hovering over the connector for a few seconds a status will be displayed.


FSSOCA_FGT4.png

 

  1. Based on the previous configuration of point 3. FSSO Connector -> User group source, create a user group to use it in Firewall Policy.
    For Collector Agent (imported from FSSO-CA):

 

FSSOCA_FGT5.png

 

For Local (imported from LDAP):  

 

FSSOCA_FGT6.png
FSSOCA_FGT7.png

 

Important Note:

Avoid using crossed configurations. 

 

  1. Configure firewall policies with a user group in the source.

 

FSSOCA_FGT8.png

Related Articles:

Technical Tip: DC Agent Graphical Interface (dc_agent GUI)
Technical Tip: FSSO choose between DC Agent mode or Polling mode

Technical Tip: Downloading FSSO agent software

Technical Tip: How to validate MD5 checksum hash for FSSO installer

Technical Tip: How to install FSSO Collector Agent

Technical Tip: Comparison between DC-Agent mode and polling mode

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets

Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account