Introduction.

If FSSO is unfamiliar, review the documentation on it from the Fortinet Docs library.

For information on which FSSO versions are recommended for FortiGate/FortiOS compatibility, refer to the Release Notes for the version of FortiOS being run on each of the FortiGates in use.

Note that FSSO agent versions are backwards-compatible, so it is possible to install any version of FSSO agent software that is at or later than the version suggested in the Release Notes.

General System Requirements.

Operating System:

• Domain Controller Agents (aka DC Agents) can only be installed on Microsoft Active Directory Domain Controllers. This in turn means that DC Agents are only supported on the Microsoft Windows Server operating systems (OS) series.
  • Note: DC Agents must be installed on all domain controllers in the domain. Failure to do so could result in logon events being missed (e.g. user logs in to a domain controller missing a DC-Agent, which results in the Collector Agent not having an associated user entry).
• Collector Agents (aka CAs) can be installed on Microsoft Windows Server-based hosts.
• Novell eDirectory Agents can be installed on Microsoft Windows Server hosts that have Novell eDirectory 8.8 installed. The eDirectory Agent functions similarly to the standard Collector Agent and obtains login info from eDirectory using the Novell API or via LDAP.
• Terminal Server agent (aka TS Agents) can be installed on Microsoft Windows Server hosts that have Citrix VDI, VMware Horizon 7.4, or Windows Terminal Server to monitor virtual desktop/terminal server user logons in real time. TS Agents function similarly to DC Agents.

As of the time this article was written, the following Windows Server versions are supported for FSSO agent installation:

• Note: Server Core and Server with Desktop Experience are both generally supported for DC-Agent operation.
• Windows Server 2022 (Standard/Datacenter)
• Windows Server 2019 (Standard/Datacenter)
• Windows Server 2016 (Standard/Datacenter)
• Windows Server 2012 and 2012 R2 (Standard/Datacenter)
• For an up-to-date list for a specific FSSO version, please refer to the Product integration and support sections of the FortiGate/FortiOS Release Notes.

CPU/Memory:

• There are generally no minimum CPU/memory requirements for the DC-Agent or TS-Agent, as they are both lightweight DLLs that monitor login events and transmit them over the network to the Collector Agent(s).
  • Refer to Microsoft's documentation regarding resource allocation for Active Directory Domain Services: .
• For the Collector Agent and eDirectory Agent, there is again no 'minimum' system resource requirement.
  • However, keep in mind that the Collector Agent aggregates incoming logon events from all DC-Agents and also acts as a distribution point for all connected FortiGates. This means that real-world system requirements will increase in proportion to system load (i.e. the number of logon events, number of monitored domain controllers, number of connected FortiGates, etc.), and so CPU/memory allocations may need to be adjusted accordingly.
  • If preparations are being made to implement FSSO in an existing environment (especially a large, complex Active Directory domain), consider testing in a proof-of-concept lab before moving to production.
    • Alternatively, consider engaging the services of Fortinet Professional Services, who can help to design an FSSO deployment plan for any environment.
  • Finally, while it is acceptable to install both the DC and Collector Agents onto the same domain controller, it is recommended to install the Collector Agent to a dedicated Windows Server host (or multiple hosts if redundancy is required).

Network:

• For the list of network ports/protocols involved with FSSO, refer to Technical Tip: List of TCP and UDP ports used by the FSSO Collector Agent.
• Similar to the CPU/memory requirements, network requirements will depend on the size of the environment and will need to be adjusted based on environmental conditions.
  • However, it is generally recommended to have a low-latency, no packet-loss network environment to ensure that logon events are transmitted and processed without any drops or issues.

Additional Notes:

High level overview: DC Agent operation:

• The domain controller will notify the DC Agent process/thread whenever a logon event is triggered. After receiving the notification, the DC Agent process adds the logon event to an internal queue and then resumes monitoring for logon events.
• A second thread monitors this queue and processes each queued logon event. During this process, the thread will try to resolve the workstation name to an IP address via DNS** before sending the logon event to the Collector Agent.
  • ** See Technical Tip: Disable the DNS resolution of the FSSO DCAgent for steps/reasons for disabling this DNS resolution step.
• Notably, the logon event queue is limited to roughly 10,000 logon events at any given time. If the queue is overloaded (e.g. due to a combination of excessive incoming login events and slow event processing) then any excess logon events will be discarded.
  • Consider using the Ignore User list to ignore logon events on the DC Agent and Collector Agents. In particular, Service Accounts and Windows servers within the domain are good candidates to ignore, as they can frequently generate logon events that do not need to be tracked for FSSO purposes. See the following article for more information on the Ignore User List function: Technical Tip: How and why to use the 'Ignore User List' option in FSSO Collector Agent.

Windows Updates and FSSO

• Keep in mind that much of the FSSO infrastructure runs on Microsoft Windows Server-based hosts, and so Windows Updates can sometimes unexpectedly impact FSSO operation.
• For an example, see the following community article regarding the FSSO impact observed after installing KB5039227 or KB5039217 on Windows Server 2022 and Server 2019 respectively: Technical Tip: FSSO breaks after installing Microsoft KB5039227 or KB5039217 update.
• It is recommended to carefully review the upcoming list of Windows Updates before they are installed to the servers and to also confirm that FSSO is working after updates are applied to hosts with DC Agents and Collector Agents.