Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎04-29-2022 02:15 PM Edited on ‎08-30-2023 08:50 PM By Community Manager

Article Id 210969

Technical Tip: FSSO - Enabling Secure communication between Collector Agent and DC Agent

Description

 

This article describes how to enable secure communication between Collector and DC Agents to address vulnerability from CVE-2021-26088.
https://www.fortiguard.com/psirt/FG-IR-20-191

 

Scope

 

FSSO Collector and DC Agent 5.0.297 or higher.

 

Solution

 

By default, communication between FSSO DC Agents and Collector Agents is performed in plain text UDP packets on port 8002.

Starting on FSSO agents version 5.0.297, secure communication can be configured as per below:

Collector Agent:

 

  1. Open the Fortinet Single Sign On Agent Configuration utility (typically located under "C:\Program Files (x86)\Fortinet\FSAE\FSAEConfig.exe").
  2. Enable the checkbox 'Enable SSL'.
  3. Make a note of the 'DCAgent SSL' port that will be used in the DC Agent configuration.
  4. Define a Pre-shared Key.
  5. Select 'Apply'.

 

CarlosColombini_3-1651251061075.png

 

DC Agent:

 

  1. Open the DC Agent Configuration Utility (typically located under "C:\Program Files\Fortinet\FSAE\DCAgentConfig.exe"). **
  2. Enable the checkbox 'Secure Communication'.
  3. Define the Pre-shared Key with the same value previously configured on Collector Agent.
  4. Add or modify the collector agent port to match the one defined in the Collector Agent.

Note:

If the port is being modified, for example from 8002 to 8003, select modify it before saving the configuration.

 

CarlosColombini_1-1651250230500.png

 

Note:

PSK must not be longer than 15 characters.

  • Note that the DC Agent Configuration Utility may not be present on the Domain Controller if the DC Agent was installed via the Collector Agent. To add the utility back to the domain controller, download and run the DC Agent installer from the Fortinet Support site ('DCAgent_Setup_<version number>_x64.exe'). Notably, this process also allows to modify of the settings for the existing DC Agent installation, including enabling TLS/SSL communication, setting a password, and changing the target Collector Agent IP/Port.

 

Verification:

Starting on version FSSO Collector and DC Agent 5.0.304, the list of SSL DC Agents is shown under 'Show Monitored DCs'.

 

CarlosColombini_2-1651250995140.png

 

Additional Note regarding DC-Agents installed to Windows Server Core:

 

Some admins utilize Windows Server Core as a base for their Active Directory Domain Controllers. While DC Agent-based FSSO does work with Windows Server Core, the lack of support for most GUI applications means that it is not possible (by default) to utilize the DC Agent Configuration Utility to change the settings.

Furthermore, it is not possible to simply enable TLS/SSL communication on the domain controller via registry modification (specifically, the password-related registry key is encrypted and is non-trivial to replicate without the GUI utility).

 

To work around this, admins can install and utilize Microsoft's 'Server Core App Compatibility Feature on Demand' to add basic support for GUI-based applications (such as the DCAgent_Setup installer) to Windows Server Core-based installations (Windows Server 2019 and later). 

3962
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.