Created on 04-25-2023 12:50 AM Edited on 08-28-2024 03:09 AM By Jean-Philippe_P
This article describes how to configure Fortinet Single Sign On Collector Agent (FSSO-CA) in DC Agent mode.
FSSO, FSSO CA, DC Agent.
After downloading, validating, and installing FSSO-CA is possible to configure it in DC Agent mode.
Inbound.
UDP/8002 – DC_Agent keepalive and push logon info to Collector Agent.
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL).
TCP/8000 – FortiGate to FSSO Collector Agent connection.
TCP/8000 – NTLM.
Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method).
TCP/445 – Workstation check (remote registry).
TCP/389 – Group lookup using LDAP.
TCP/636 – Group lookup using LDAPS.
UDP/53 – DNS for resolving hostnames of the logon events.
FSSO-CA server configuration:
Note: Collector agent installation needs to run with an account that is a member of the local administrators or domain administrators. The permissions are required for creating local registries, libraries, local folders, logs, etc.
It is a temporary requirement, however, it is needed for the installation to be completed properly.
To restrict a Fortinet Single Sign On Agent Service account follow the link at the bottom.
Important points to keep in mind:
FortiGate Configuration.
If there are two or more FSSO-CA servers installed, it is possible to add a new entry with '+', only one FSSO Connector is allowed with many FSSO-CA servers, and two or more FSSO Connector for the same domain will cause user group inconsistency.
For user group sources, use 'Collector Agent' for Standard, or 'Local' for Advanced:
Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode
For Local (imported from LDAP):
Important Note:
Avoid using crossed configurations.
Related Articles:
Technical Tip: DC Agent Graphical Interface (dc_agent GUI)
Technical Tip: FSSO choose between DC Agent mode or Polling mode
Technical Tip: Downloading FSSO agent software
Technical Tip: How to validate MD5 checksum hash for FSSO installer
Technical Tip: How to install FSSO Collector Agent
Technical Tip: Comparison between DC-Agent mode and polling mode
Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.