Description
This article describes the two operational modes for Fortinet Single Sign On Collector Agent (FSSO-CA).
Scope
FSSO Collector Agent.
Solution
Fortinet Single Sign-On Collector Agent (FSSO-CA):
FSSO-CA is a software developed by Fortinet Inc. That fulfills the function of a collector agent for domain logon events, it can be installed on a DC or on any other server that belongs to the domain to work with.
FSSO-CA can work in two operation modes 'DC Agent' or 'Polling';
DC Agent mode.
- In this mode, the Windows DC server collects its own login information and sends it to the collector agents.
- It is the recommended mode for FSSO due to scalability.
- Requires one DC Agent (installed in C:\Windows\System32\dcagent.dll) on each Windows DC.
- Windows DC Server must reboot after DC Agent installation.
Workflow.
- The user authenticates against the Windows DC.
- The DC agent sees the login event and forwards it to the collector agent.
- The collector agent receives the event from the DC Agent and forwards it to FortiGate.
- FortiGate knows the user based on their IP address.
To select this work mode, open FSSO-CA as administrator, Select Show Monitored DCs -> Select DC to Monitor... and select DC Agent Mode. (this work mode may require a server reboot for the first time).
Polling Mode.
- In this mode: The collector agent 'polls' for logon events to each Windows DC.
- No DC_agent is required on the Domain Controller server.
- Every few seconds, the Collector Agent polls each DC for user login events, it requires ports: SMB (TCP/445) as main and [TCP/135, TCP/139, and UDP/137] as fallback.
- This mode requires a less complex installation.
- Polling mode can be configured in three ways:
| Polling Method | Main features | Some issues |
| NetAPI |
Polls the NetSessionEnum function every 9 seconds or less. Retrieves login sessions, including DC login events. |
Faster but, if DC has a heavy system load, some login events can be missed. |
| WinSecLog |
Polls all security events on DC every 10 seconds or more Only parses known event IDs by collector agent. (poller ID) |
Log latency if the network is large or the system is slow. Requires fast network links. Some workstation names may be lost.
|
| WMI |
DC returns all requested login events every 3 seconds. Improves WinSec bandwidth usage. |
Some workstation names may be lost. |
Workflow.
- The user authenticates with DC.
- The Collector Agent frequently polls the DC to collect user login events.
- The Collector Agent forwards logins to FortiGate.
To select this work mode, open FSSO-CA as administrator, select Show Monitored DCs -> Select DC to Monitor... and select Polling Mode.
Related articles:
- Handbook Guide: Handbook - Agent Based FSSO
- Installation and configuration basics:
- Troubleshooting and common issues:
- Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
- Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode
- Technical Tip: FSSO Group Filter configured on Collector Agent
- Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account
- Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
