Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IAC
New Contributor

FSSO Agent based or Fabric Connector Poll Active Directory Server

Hi there.

 

We have noticed from time to time logon FSSO missing user logon events in DC agent mode, specially when one of the two Collector Agents is down for a long time (more than 5 minutes, i.e. 1-2 hours). Some logon events do not reach any of the two Collector Agents (even if there is one available). When the second collector agent gets recovered, still noticing some missing user logon events (do not reach any of the two collector agents).

 

Our scenario. Cluster of two FG600E running v.6.0.9 (in the short time will be updated to v.6.4.7).

Up to 2500 simultaneous Windows users

Two collector agents running on Windows Server 2012.

Three domain controllers running on Windows Server 2016.

FSSO design: DC Agent and Collector Agent in Advanced Mode.

DC logs are not available (logs not activated).

 

Two questions

 

1. Is there any known issue or bug related to our faulty scenario? Might it be solved by restarting all the three domain controllers (sequentially).

 

2. Which is the Fortigate recommended design for Windows Active Directory SSO? DC Agent and Collector Agent in Advanced Mode, or Fabric Connector - Poll Active Directory Server (configured directly in Fortigate, without using Collector Agent). We cannot find any information related to agent-based FSSO (DC and Collector Agent) in the 6.4.7 Admin Guide... However we can still find firmware images for 6.4.7 in Firmware download web page (DCAgent_Setup_5.0.0301_x64.exe, FSSO_Setup_5.0.0301_x64.exe).

 

Many thanks in advanced.

Any help is really appreciated.

Regards, Ignacio.

 

1 REPLY 1
seshuganesh
Staff
Staff

Hi Team,

Two collector agents running on Windows Server 2012.

Three domain controllers running on Windows Server 2016.

 

Since you are using dc agent mode, i believe you already installed DC agent in all three domain controllers and pointing to two FSSO agents.

DC agent is the most preferable method it will not miss any log on events.

When the user log on is missing, can you check in both the domain controller for the DNS record of that machine?

It should give us clear information.