Technical Tip: Configuring Multiple FSSO Agent to Connect to Multiple FSSO CA Server Monitoring same Domain/Groups

adimailig · ‎09-24-2023

Description

This article describes how to configure Multiple FSSO Agent to Connect to Multiple FSSO CA Server Monitoring same Domain/Groups.

On this deployment, there are Domain Controller Servers which both have FSSO Collector Agent installed. AD servers synchronize domains and AD groups/users.
The user goal is to configure multiple FSSO agents and monitor logon events on each FSSO CA.
First FSSO Agent (FSSO_DC1) is configured with 'User group source' as Collector Agent and is able to poll 37 user groups from FSSO CA.

The second FSSO Agent (FSSO_DC2) is also configured with 'User group source' as Collector Agent and is on connected status. However, there are no users/Groups monitored for the second FSSO Agent.

Summary of FSSO Agent Status:

Scope

FortiGate, FSSO.

Solution

Running the debug application on the AUTHD process shows the below logs and error:

diag debug application authd -1
diag debug enable

Select 'Apply' and Refresh to initiate the update:

<>
_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/PRINT OPERATORS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/CERT PUBLISHERS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/RAS AND IAS SERVERS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/ALLOWED RODC PASSWORD REPLICATION GROUP exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/DENIED RODC PASSWORD REPLICATION GROUP exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/DNSADMINS exists (vd=root)

_process_ad_info[FSSO_DC2]: updated user.adgrp with 0 entries
<>

This means that the Group that FSSO CA received already existed on the FortiGate configuration.
Further checking on the FortiGate configuration to confirm that Groups are already referenced to FSSO_DC1.

Thus, it is not possible to reference it to FSSO_DC2.

show user adgrp
<>
edit "TEST-DOMAIN/CERT PUBLISHERS"

set server-name "FSSO_DC1"

next
<>

To resolve the issue and to achieve the goal of the customer, it is necessary to configure a second FSSO Agent to use Local as 'User group source'.

This requires configuring the LDAP Server. Refer to the below guide to configure the LDAP Server:
Configuring an LDAP server

Edit the second FSSO Agent then change 'User group source' to Local.
Select the LDAP Server where to get the User/User Group, then select 'Edit'. This will be forwarded to LDAP Tree View to select groups or users to monitor the logon events.

'Right-click' to User or Groups to monitor, then select 'Add Selected'.
It is possible to check all selected users and groups under the 'Selected' tab.

It is now possible to see that there are 2 Users/Groups that are currently monitored by FSSO CA:

The recommendation and regular use of FSSO connectors is to use a single Collector Agent entry with primary and secondary IP.

Note: FortiGate will connect to a single IP only and forward the group filter to the Collector Agents. The other Collector Agent will not receive the group filter and troubleshooting a missing user should be done first on FortiGate, then on the connected Collector Agent.

Checking the non-connected Collector may not give good results since the user's absence, or presence does not represent what FortiGate has listed.

When troubleshooting such a setup, the mouse over the FSSO connector will display an entry in bold. That is the connected IP/FQDN. In CLI, this can be made visible with:

diag debug enable

diag debug auth fsso server-status