Description
The Windows server core is a minimal installation option that is available when installing the standard or datacenter editions of Windows Server.
By design, server core does not have a traditional desktop interface.
Instead, server core is designed to be managed remotely through the command line, PowerShell, or a special GUI tool, which means that the usual GUI configuration of FSSO collector agent is not possible.
This article describes how to configure FSSO Collector agent on Windows server core.
Solution
Every FortiOS firmware version specifies in its release notes the minimum FSSO version needed, as well as the supported operating systems for FSSO installation.
Verify initially if the FSSO version to install supports the Windows server core version.
After installing the collector agent via the installation wizard, it is necessary to configure it.
The usual GUI method runs the FSAEConfig.exe but in server core environment it is necessary to perform all configuration directly in the registry.
FSSO collector agent has to be listed in the following registry path:
For options not explicitly specified in the following table, the standard registry binary values of 0 (False/disabled) and 1 (True/enabled) apply.
The Windows server core is a minimal installation option that is available when installing the standard or datacenter editions of Windows Server.
By design, server core does not have a traditional desktop interface.
Instead, server core is designed to be managed remotely through the command line, PowerShell, or a special GUI tool, which means that the usual GUI configuration of FSSO collector agent is not possible.
This article describes how to configure FSSO Collector agent on Windows server core.
Solution
Every FortiOS firmware version specifies in its release notes the minimum FSSO version needed, as well as the supported operating systems for FSSO installation.
Verify initially if the FSSO version to install supports the Windows server core version.
After installing the collector agent via the installation wizard, it is necessary to configure it.
The usual GUI method runs the FSAEConfig.exe but in server core environment it is necessary to perform all configuration directly in the registry.
FSSO collector agent has to be listed in the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragentNote.
For options not explicitly specified in the following table, the standard registry binary values of 0 (False/disabled) and 1 (True/enabled) apply.
For example, in the test environment it looks like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent]Group filters and Ignore user lists are set in the following registry path:
"supportLogonMonitor"=dword:00000001
"admode"=dword:00000001
"supportNTLMauth"=dword:00000001
"domain_list"="TEST:test.local"
"ep_eventid_list"="2"
"supportFSAEauth"=dword:00000000
"supportLogonMonitorType"=dword:00010001
"pushIgnoreListToDC"=dword:00000001
"verifyIP"=dword:00000000
"ep_gobackhours"=dword:00000000
"directDNSlookup"=dword:00000001
"callgethostbyname"=dword:00000001
"DNSlookupinterval"=dword:0000000f
"grouplookupinterval"=dword:00000000
"checkinterval"=dword:0000003c
"timeoutinterval"=dword:00000078
"workerthreadcount"=dword:00000080
"use_groupcache"=dword:00000000
"max_FGT_session"=dword:00000040
"GroupCacheExpiration"=dword:0000003c
"log_level"=dword:00000001
"log_level_event"=dword:00000000
"log_size"=dword:00a00000
"dcagentport"=dword:00001f42
"enableauth"=dword:00000001
"fortigateport"=dword:00001f40
"fortigatesslport"=dword:00001f41
"dc_agent_ignore_ip_list"=""
"version"="5.0.0278"
"password_new"="**********"
"enable_ssoma"=dword:00000000
"workstation_in_logon_session"=dword:00000000
"wmi_logoff_check"=dword:00000001
"enable_deadthread_detect"=dword:00000000
"tsagent_alive_check"=dword:00000000
"InstallDir"="C:\\Program Files (x86)\\Fortinet\\FSAE"
"host"="10.0.0.10"
"uninstallDCAgent"=dword:00000001
"dc_list"="TEST/DC02.test.local;TEST/DC01.test.local"
"ad_port"=dword:00000cc4
"ad_server"="DC01.mt-test.local"
"ad_baseDN"="DC=mt-test,DC=local"
"ad_authuser"="service_fssouser"
"ad_passwd_new"="**********"
"ad_secureconnection"=dword:00000000
"DNS_list"="10.0.0.10"
"disable_rdp_override"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\Filter'domain\username', wildcards '*' and '?' are supported. An example can be seen as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\Filter]Group filters are set by creating a registry folder within collectoragent\Filter\ with the FortiGate serial number as the name of the registry folder.
"ignore_users"="TEST\\admin_*;TEST\\Administrator;TEST\\service*;TEST\\srv_*"
Inside the new registry folder the group list can be specified for example:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent\Filter\FGVMxxxxxxxxx]
"groups"="CN=Domain Users,CN=Users,DC=test,DC=local"
