Description
This article explains the use of SRV records on your production DNS server. A DNS type A record for the FQDN of FortiNAC is still needed.
Agent server discovery is a mechanism used by the agent to determine the identity of the FortiNAC Server to which the agent should connect.
Scope
Any Windows server and a FortiNAC agent.
Solution
First, verify the DNS suffix on the end user that has the Agent installed:
ipconfig /all
~
Connection-specific DNS Suffix . : eb.lab
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : 00-76-6F-6C-23-01
By default, the FortiNAC agent will try to resolve '_bradfordagent._tcp.<dns suffix>'. The purpose is a service (SRV) discovery from the client side to see where the service for the Agents is listening. The expected response is a server or set of servers with IP addresses and ports (same as an SRV _ldap query for a Microsoft Windows client that joins a Windows domain).
In this article, it will be '_bradfordagent._tcp.eb.lab'. This has the DNS record type 'SRV', which can be checked to ensure that it is resolvable from the end user device:
nslookup -querytype=srv _bradfordagent._tcp.eb.lab
The agent log file can be found under C:\ProgramData\Bradford Networks\general.txt. A failure to resolve looks similar to this:
:: Looking up _bradfordagent._tcp.eb.lab
:: status = 9003 lasterror = 0
:: Server List:
:: About to delete transport
In cases when the client is in an isolated network and FortiNAC eth1 is acting as the DNS server, this is covered by FortiNAC's internal DNS server. When the client resides on other networks, the production DNS normally should contain this record.
To create this record on Windows Server DNS:
In this case, the DNS suffix for the end user is different from the domain that FortiNAC is using. As a result, the domain must be created under the user's domain (the one on the suffix) and point to the FortiNAC FQDN (on a different private/public domain). In cases where the two domains are the same, this can be done under the same DNS tree.
Now it can be tested on the end user device:
>ipconfig /flushdns
>nslookup -querytype=srv _bradfordagent._tcp.eb.lab
Server: DC01.eb.eu
Address: 10.1.1.10
_bradfordagent._tcp.eb.lab SRV service location:
priority = 0
weight = 0
port = 4568
svr hostname = fnac.eb.eu <-
fnac.eb.eu internet address = 10.0.0.5 <-
Next, check the Agent logs. If the changes were processed, the output will look similar to this:
:: Looking up _bradfordagent._tcp.eb.lab
:: Server List: fnac.eb.eu,
Scrolling down will show the certificate verification of FortiNAC:
:: Host = fnac.eb.eu
:: SSL_get_verify_result = 0
:: SSL Certificate verification result: ok
The Agent information can also be checked in the registry path of the PC where the agent is installed:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bradford Networks\Client Security Agent
Related articles:
Technical Tip: Production DNS records for agent communication.
Troubleshooting Tip: DNS SRV queries not sent from Persistent Agent host.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.