Description
This article describes how to configure the TS-Agent, which seamlessly allows multiple user connections simultaneously, allowing restricted access based on user credentials.
The TS-Agent is a Terminal Services FSSO Agent that allows user authentication based on source port ranges assigned to each authenticated user, unlike DC-Agent or FSSO polling mode, which are IP-based authentication.
The TS-Agent can be installed on a Citrix, VMware Horizon v7.4, or Windows Terminal Server (Such as a jump server) to monitor user logons in real time.
Scope
For Fortinet Single Sign On (FSSO) TS-Agent.
Solution
Download the 'TSAgent_Setup- .exe' or '-msi package' from the support portals download section.
It is located in the FSSO directory within the FortiGate firmware downloads.
The installation of it is as follows:
After the TS-Agent has been installed, the option to set the following parameters, such as port ranges and the number of port ranges per user, is proposed.
The secure communication option is only available for use with FortiAuthenticator and not with FSSO CA.
If Secure communication is used, make sure the firewall allows TCP port 8002; if unsecured communication, UDP port 8002.
Verifying TS-Agent users on the collector agent.
Logon user list on the collector agent.
Note that by default, both TS-Agent and EventLog/DC-Agent types of logon events will be seen, which in some environments can cause undesired authentication issues.
When a user logs into a terminal server with a TS Agent installed, this typically generates two FSSO sessions:
- One session with an IP and a port-range (sourced from the TS Agent).
- One standard session for the whole IP, no port ranges (sourced from event log polling/DC Agent/NetAPI).
To ensure correct authentication, all terminal server IP addresses need to be added in the Collector Agent’s registry key dc_agent_ignore_ip_list:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
- Value name: 'dc_agent_ignore_ip_list'.
Value data: semicolon-separated list of IPs for the Collector Agent to ignore.
This will drop non-TS-Agent FSSO sessions for those IPs (event log polling, DC Agent, NetAPI).
Verifying FortiGate user Auth list and Session List:
diagnose debug authd fsso list | grep USER1
IP: 172.31.128.12 User: USER1 Groups: CN=USER1,CN=USERS,DC=HARSHAVARDHAN,DC=COM+CN=ATTACKERS,CN=USERS,DC=HARSHAVARDHAN, DC=COM Workstation: 172.31.128.12!HARSHAVARDHAN!0000000
MemberOf: Admin Tsagent Domain Users- FSSO Session ID: 1 Port Range(2): 1024-1223 1224-1423
Session List:
session info: proto=6 proto_state=01 duration=565 expire=3577 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER1 auth_server=FSSO Agent state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=4079/35/1 reply=4958/41/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.40.63.254/172.31.128.12
hook=post dir=org act=snat 172.31.128.12:1087->172.217.194.189:443(10.40.48.17:61503)
hook=pre dir=reply act=dnat 172.217.194.189:443->10.40.48.17:61503(172.31.128.12:1087)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 auth_info=6 chk_client_info=0 vd=0
serial=01f5964d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0total
session 1
IP: 172.31.128.12 User: USER1 Groups: CN=USER1,CN=USERS,DC=HARSHAVARDHAN,DC=COM+CN=ATTACKERS,CN=USERS,DC=HARSHAVARDHAN, DC=COM Workstation: 172.31.128.12!HARSHAVARDHAN!0000000
MemberOf: Admin Tsagent Domain Users- FSSO Session ID: 1 Port Range(2): 1024-1223 1224-1423
Session List:
session info: proto=6 proto_state=01 duration=565 expire=3577 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER1 auth_server=FSSO Agent state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=4079/35/1 reply=4958/41/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.40.63.254/172.31.128.12
hook=post dir=org act=snat 172.31.128.12:1087->172.217.194.189:443(10.40.48.17:61503)
hook=pre dir=reply act=dnat 172.217.194.189:443->10.40.48.17:61503(172.31.128.12:1087)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 auth_info=6 chk_client_info=0 vd=0
serial=01f5964d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0total
session 1
Verify the results with the following command:
diagnose firewall auth list | grep USER1
Compared with the FSSO user information from the DC-agent mode or the Polling mode, the FSSO user information originated from the TS-agent mode contains extra information, which is the port-range allocated to the user by the Terminal Server. This is an important factor when matching the firewall policy.
When the FortiGate is doing the group matching in the firewall policy for the incoming traffic, it will not only match the FSSO group information, but also the source port of the traffic. Only the traffic in the correct source port-range of this user can match the policy.
10.30.2.78, GZHONG3
type: fsso_citrix, id: 1, duration: 195, idled: 12
server: FSSO
packets: in 132 out 122, bytes: in 65109 out 45259
group_id: 33554458 33554437 33554485
group_name: CN=DOMAIN USERS,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=TESTGROUP,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=USERS,CN=BUILTIN,DC=SYD,DC=FORTILABAPAC,DC=LAB
port_range: (1024-1223)
type: fsso_citrix, id: 1, duration: 195, idled: 12
server: FSSO
packets: in 132 out 122, bytes: in 65109 out 45259
group_id: 33554458 33554437 33554485
group_name: CN=DOMAIN USERS,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=TESTGROUP,CN=USERS,DC=SYD,DC=FORTILABAPAC,DC=LAB CN=USERS,CN=BUILTIN,DC=SYD,DC=FORTILABAPAC,DC=LAB
port_range: (1024-1223)
Note that traffic with no ports, such as ICMP, DNS, or traffic generated by applications like SMB, which does not use the user port-range assigned by the TS Agent, will NOT match with the identity-based policy. As a result, the traffic will be dropped by FortiGate. The TS Agent can only intercept traffic initiated by a user process. Thus, it is recommended to configure a separate firewall policy for this traffic without FSSO group matching.
Refer to this article if TS Agent FSSO users are facing problems with DNS resolution: Technical Tip: TS Agent FSSO users are not able to resolve DNS.
Note:
Installing the TS Agent from other vendors together with the Fortinet TS Agent on the same server can cause service/port conflicts, leading to unexpected problems and failures. This coexistence is not supported nor recommended.
Related articles:
Technical Tip: Excluding IP addresses from FSSO logon events
Technical Tip: Terminal Server Agents and SMB Shared Folders
