Hi everbody,
I would like to ask a question.
Can I only install the FSSO Agent on one sub-DC and work with it or on all the DC. We have several DCs and I only want to install it on one sub-DC of ours.
Also we are going to configure the FSSO for several FGTs with different firmware versions (most are 5.2.x and one 5.0.x which we will upgrade to 5.2.x soon), because I saw different agent version for every FGT version. In our case, will a agent with latest version (5.2.latest) works for all the FGT version.
Thanks,
Cuong Pham
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Cuong,
if we are talking about standalone installation of FSSO Collector Agent, then there is multiple scenarios and modes of it's operation. In short:
First you can have single Collector Agent on one DC or even on any Domain member machine (non-DC mode).
Then you can choose from 4 modes of operation :
1. agent based - DCAgent has to be installed on all the used DCs as we cannot predict which DC will be used by workstation as its %logonserver%
2. agent-less - NetAPI polling - oldest and I would not choose that mainly for possibility to loose logon events, no DHCP tracking, Limited MAC OS support, RTT has to be <9sec => fast/small networks only
3. agent-less - WinSec polling - again, polling = transparent mode, DHCP tracking, MAC and Citrix farms support, in large networks might incure auth delay but no loss of logons
4. agent-less - WinSec-WMI polling - similar to previous but it question DCs via MS WMI API rather then reading fata blocks from Windows Security log (preferred)
So I would suggest WinSec-WMI in Advanced mode (groups in LDAP format, Group Filters configurable from FortiGate => no need to reconfigure Collector) on a single Collector in network. Later consider secondary Collector just for redundancy and fail-proofing your solution.
There could be used NTLM as auth fallback.
Regarding FSSO Agents and FortiOS version matrix .. there is no official support for the mix and currently supported FSSO is stated in interoperability section of respective FortiOS Release Notes.
HOWEVER .. there is not many changes in FSSO protocol, and therefore it should and usually works pretty well in mixed FortiOS. As far as you use FSSO version 5.x with FortiOS versions 5.x you should be safe and it should work. So you can use latest FSSO and connect older FortiGate units to that same Collector without any problem.
More important is, if you run in agent mode, or use TSAgents, to have FSSO parts within same version, so if Collector runs 5.0.0244 then all the other agents should run same or as close as possible version.
Hope it's clear now.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thank you for the quick reply.
Can I confirm that those polling mode you mentioned is not the Polling mode on the FGT itself, because I read on Fortinet site that it requires a internal DNS server and it can not be done. These are options for the agent, right?
It's great to know that an agent can be installed on a client machine. We'll definitely look into that.
I will confirm with the release notes, but isn't it supposed to work with the same minor releases (i.e. 5.2.x agent with 5.2.x FGT).
Best regards,
Cuong Pham
Hi Pham,
yes, those are options for "standalone installation of FSSO Collector Agent". So collectoragent.exe process and "Fortinet Single Sign On Agent Service" running directly on DC.
I would suggest to run it directly on DC (regardless it could be run on non-DC domain machine). I would not recommend to run it on client machine for security reasons.
Just install and run the Collector under Domain Admin account. If you need to strip access later, search our KB.fortinet.com for tips how to do so. But for smooth run it is suggested to run it under Domain Admin account.
Yes, you can mix 5.0.02xx FSSO agent (latest and released with 5.4.x FortiOS) with either 5.4.x or 5.2.x or even 5.0.x FortiOS instances and it should work. I just had to mention that officially supported versions are those in release notes.
Yes, and there is also FSSO polling possibility directly from FortiGate, but it is very limited:
- no workstation checks
- no timers
- only WinSec polling mode
- for every single polled DC you need additional record
... therefore direct polling from FortiGate can be used for very small Domain Deployments or tests. If there is any chance to run standalone Collector on DC, then I would highly recommend that for stability, scalability and variability of that.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.