FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ebilcari
Staff
Staff
Article Id 230166

Description

 

This article explains the use of SRV records on your production DNS server. A DNS type A record for the FQDN of FortiNAC is still needed.

 

Agent server discovery is a mechanism used by the agent to determine the identity of the FortiNAC Server to which the agent should connect.

 

Scope

 

Any Windows server and a FortiNAC agent.

 

Solution

 

First, verify the DNS suffix on the end user that has the Agent installed:

 

ipconfig /all

~

Connection-specific DNS Suffix . : eb.lab
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : 00-76-6F-6C-23-01

 

By default, the FortiNAC agent will try to resolve '_bradfordagent._tcp.<dns suffix>'. The purpose is a service (SRV) discovery from the client side to see where the service for the Agents is listening. The expected response is a server or set of servers with IP addresses and ports (same as an SRV _ldap query for a Microsoft Windows client that joins a Windows domain).

 

In this article, it will be '_bradfordagent._tcp.eb.lab'. This has the DNS record type 'SRV', which can be checked to ensure that it is resolvable from the end user device:

 

nslookup -querytype=srv _bradfordagent._tcp.eb.lab

 

The agent log file can be found under C:\ProgramData\Bradford Networks\general.txt. A failure to resolve looks similar to this:

 

:: Looking up _bradfordagent._tcp.eb.lab
:: status = 9003 lasterror = 0
:: Server List:
:: About to delete transport

 

In cases when the client is in an isolated network and FortiNAC eth1 is acting as the DNS server, this is covered by FortiNAC's internal DNS server. When the client resides on other networks, the production DNS normally should contain this record.

To create this record on Windows Server DNS:

 

new record.png

 

In this case, the DNS suffix for the end user is different from the domain that FortiNAC is using. As a result, the domain must be created under the user's domain (the one on the suffix) and point to the FortiNAC FQDN (on a different private/public domain). In cases where the two domains are the same, this can be done under the same DNS tree. 

 

record.png

 

Now it can be tested on the end user device:

 

>ipconfig /flushdns
>nslookup -querytype=srv _bradfordagent._tcp.eb.lab
Server: DC01.eb.eu
Address: 10.1.1.10

_bradfordagent._tcp.eb.lab SRV service location:
priority = 0
weight = 0
port = 4568
svr hostname = fnac.eb.eu 
<-
fnac.eb.eu internet address = 10.0.0.5 
<-

 

Next, check the Agent logs. If the changes were processed, the output will look similar to this:

 

:: Looking up _bradfordagent._tcp.eb.lab
:: Server List: fnac.eb.eu,

 

Scrolling down will show the certificate verification of FortiNAC:

 

:: Host = fnac.eb.eu
:: SSL_get_verify_result = 0
:: SSL Certificate verification result: ok

 

The Agent information can also be checked in the registry path of the PC where the agent is installed: 

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bradford Networks\Client Security Agent

reg-ag.PNG

 

Related articles:

Technical Tip: Production DNS records for agent communication.

Troubleshooting Tip: DNS SRV queries not sent from Persistent Agent host.