- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO Agent on sub-DC with multiple version of FGT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO Agent on sub-DC with multiple version of FGT
Hi everbody,
I would like to ask a question.
Can I only install the FSSO Agent on one sub-DC and work with it or on all the DC. We have several DCs and I only want to install it on one sub-DC of ours.
Also we are going to configure the FSSO for several FGTs with different firmware versions (most are 5.2.x and one 5.0.x which we will upgrade to 5.2.x soon), because I saw different agent version for every FGT version. In our case, will a agent with latest version (5.2.latest) works for all the FGT version.
Thanks,
Cuong Pham
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cuong,
if we are talking about standalone installation of FSSO Collector Agent, then there is multiple scenarios and modes of it's operation. In short:
First you can have single Collector Agent on one DC or even on any Domain member machine (non-DC mode).
Then you can choose from 4 modes of operation :
1. agent based - DCAgent has to be installed on all the used DCs as we cannot predict which DC will be used by workstation as its %logonserver%
2. agent-less - NetAPI polling - oldest and I would not choose that mainly for possibility to loose logon events, no DHCP tracking, Limited MAC OS support, RTT has to be <9sec => fast/small networks only
3. agent-less - WinSec polling - again, polling = transparent mode, DHCP tracking, MAC and Citrix farms support, in large networks might incure auth delay but no loss of logons
4. agent-less - WinSec-WMI polling - similar to previous but it question DCs via MS WMI API rather then reading fata blocks from Windows Security log (preferred)
So I would suggest WinSec-WMI in Advanced mode (groups in LDAP format, Group Filters configurable from FortiGate => no need to reconfigure Collector) on a single Collector in network. Later consider secondary Collector just for redundancy and fail-proofing your solution.
There could be used NTLM as auth fallback.
Regarding FSSO Agents and FortiOS version matrix .. there is no official support for the mix and currently supported FSSO is stated in interoperability section of respective FortiOS Release Notes.
HOWEVER .. there is not many changes in FSSO protocol, and therefore it should and usually works pretty well in mixed FortiOS. As far as you use FSSO version 5.x with FortiOS versions 5.x you should be safe and it should work. So you can use latest FSSO and connect older FortiGate units to that same Collector without any problem.
More important is, if you run in agent mode, or use TSAgents, to have FSSO parts within same version, so if Collector runs 5.0.0244 then all the other agents should run same or as close as possible version.
Hope it's clear now.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick reply.
Can I confirm that those polling mode you mentioned is not the Polling mode on the FGT itself, because I read on Fortinet site that it requires a internal DNS server and it can not be done. These are options for the agent, right?
It's great to know that an agent can be installed on a client machine. We'll definitely look into that.
I will confirm with the release notes, but isn't it supposed to work with the same minor releases (i.e. 5.2.x agent with 5.2.x FGT).
Best regards,
Cuong Pham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pham,
yes, those are options for "standalone installation of FSSO Collector Agent". So collectoragent.exe process and "Fortinet Single Sign On Agent Service" running directly on DC.
I would suggest to run it directly on DC (regardless it could be run on non-DC domain machine). I would not recommend to run it on client machine for security reasons.
Just install and run the Collector under Domain Admin account. If you need to strip access later, search our KB.fortinet.com for tips how to do so. But for smooth run it is suggested to run it under Domain Admin account.
Yes, you can mix 5.0.02xx FSSO agent (latest and released with 5.4.x FortiOS) with either 5.4.x or 5.2.x or even 5.0.x FortiOS instances and it should work. I just had to mention that officially supported versions are those in release notes.
Yes, and there is also FSSO polling possibility directly from FortiGate, but it is very limited:
- no workstation checks
- no timers
- only WinSec polling mode
- for every single polled DC you need additional record
... therefore direct polling from FortiGate can be used for very small Domain Deployments or tests. If there is any chance to run standalone Collector on DC, then I would highly recommend that for stability, scalability and variability of that.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Related Posts
- FMG Revision - Config issues when... 57 Views
- Is there any way to restore... 99 Views
- Fortigate 90D v6.0.9 no filter enabled... 84 Views
- Swapping Firewalls VPN Setup Command Line 80 Views
- Fortianalyzer duplicate hostname report 87 Views
Labels
-
FortiGate
6,678 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.