Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GCC_J
New Contributor

Created on ‎05-02-2018 07:38 AM

FSSO Agent and multiple user logins

We have an issue with FSSO-based web filtering that I so far have been unable to solve:

 

We have the FSSO DC agents installed on all DCs.  We have 4 AD groups set up, and we're using a guest profile set to Deny everything.  Everything is working great, pulling in user logins, blocking sites, etc...  Except for one thing.  We have some users in our organization that either (1) Login from a PC with more than one username at a time, or (2) Admins will connect to other machines, either through CIFS/SMB shares or RDP using their 'Admin' accounts (our admins use a standard user account for day-to-day work activities).  The issue is that when someone does this, the FSSO agent drops their normal user account from the list and adds the second account.  Then when the second account logs off, it doesn't add the original account back, which means the first user account is now using the 'Guest' web filtering profile and they get blocked from all web sites.  To get back on the "Logged on users" list, they have to basically lock their computer, then unlock it, which re-authenticates to Active Directory and the FSSO agent logs it and adds the account back to the list.

 

This is a major annoyance.  This even impacts certain users who keep remote drives mapped using different credentials.  Is there any way around this?  It is making us re-think our entire setup.

28792
0 Kudos
13 REPLIES 13
yorvek
New Contributor

Created on ‎01-13-2025 06:14 AM

Did you receive a solution from support regarding this issue? While disabling the RDP override from the collector agent resolves the problem for RDP, it does not address the issue that occurs when running an application as an administrator on a client PC. In such cases, the user will eventually lose internet access and will need to lock and log back into their computer to restore connectivity.

374
0 Kudos
jpcastilloux1
New Contributor

Created on ‎01-13-2025 06:19 AM

Yes, the only way to resolve this is to have a standardised Server / Admin accounts nomenclature that you will be able to ignore in the FSSO configuration.

so let's say, if your admin accounts nomenclature begins by admin-xxxxx , you could ignore in the FSSO the accounts login beginning by admin-* . 

You can also use the '' ? '' to wildcard a specific character position too instead of the Wildcard ''*'' that implicit the rest of the word.

Works like a charm but you need to implemant a standardised nomenclature to achieve it.

367
0 Kudos
jandrewartha
New Contributor
In response to jpcastilloux1

Created on ‎04-14-2025 11:22 PM

My problem is I want to identify our admin accounts (which are d- for domain, s- for server, w- for workstation admins) on servers, but not on workstations. Ignoring them will ignore them everywhere which is not what I want.

94
0 Kudos
jpcastilloux1
New Contributor
In response to jandrewartha

Created on ‎04-15-2025 06:22 AM

You could create a separate VDOM for your Workstation and in this VDOM you could point to a different FSSO server that has a different ignore list because each VDOM has the possibility to configure different FSSO servers.

75
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.