Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jasonhilt
New Contributor

FSSO Setup

Firewall 1240B running v4 MR3 patch 10 FSSO Agent v4.0639-639 We have been having issues with some logins not getting collected and thus are put at guest access. I have tried one collector for all 5 domain controllers. 2 collectors with all 5 reporting to each collector and also tried separating the DCs between the two collectors. Some logins, and they are random, are still not getting collected. Usually after logging off or rebooting the computer they get correct access, but sometimes it takes 5 to 7 tries. What is the best way to setup FSSO for 5 domain controllers? In the fireall FSSO agent config, there are spots for more than one FSSO Agent IP/Name. Do I put both collector IPs, if using two, under this one or separate them out to a primary and secondary entry. Also if you have any idea where to look to resolve the collection issue. Biggest issue is with gmail for staff. We currently block it for students and do not want to have to open it for them.
9 REPLIES 9
rwpatterson
Valued Contributor III

Right now I have on AD domain with 3 DCs and not big issues. How many domains are you polling?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Jasonhilt
New Contributor

We have one domain. 3 DCs at our main building and one each at two outlying buildings. Weird issue today. Teacher logs in and gets blocked going to gmail. I check the analyzer and it shows a student is logged in on her IP address. I check the collector and it shows the teacher is logged in at the IP that the firewall says the student is logged in at. For some reason the firewall was not getting the updated info from the collector. Today I changed the collector config so that both collectors " collect" from all 5 DCs. Don' t know if this will help or make things worse, but can not seem to find any info on how to setup the FSSO collector when doing more than one. Do I need just one or if two, how do I set it up?
rwpatterson
Valued Contributor III

I have one collector polling all 3 DCs.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Rick_H
New Contributor III

I have this as well: one collector polling all DCs. I found that having multiple collectors caused some weird inconsistencies. I have no performance issues with just the one collector coupled with installed DC agents.
Joker
New Contributor

I have 4 collector agents, all 4 configured in all routers. If memory serves, the maximum number of devices that can connect to a collector agent is (or used to be) 67. I scale well past that so need a minimum of 2 and then for full redundancy I need 2 more. I have no problems with that configuration. The key to not missing logon events is to configure the collector agent in DC Agent Mode and all collector agents must know about all DC' s.
MikeMo
New Contributor

I have experienced something similar in the past. Here are the things you should check: -Ensure DC agents are installed on all domain controllers and ensure that registry entries for every DC agent points back to all collector agents (even collector agent if it is a Domain Controller). -UAC must be turned off in certain cases to deploy the DC agent. This can sometimes cause the DC agent to not be properly installed. -Check your group filters to make sure you aren' t excluding anything. -All collector agents need to be configured on the firewall if you intend to use them. -Ensure server firewall ports are open for firewall to collector agent communication. -Make sure your workstation/IP/dead intervals aren' t set too high (default is probably best) Some things I have noticed: -At times when multiple uses authenticate to a system if your timeout intervals are set too high the Fortinet might cache a user if for some reason the new user' s authentication wasn' t detected by the Firewall. -Wireless connections that use authentication (such as PEAP) can cause problems with FSSO. I have found this to be an issue with the way FSSO uses DNS and how traffic is sourced when connected to dual wired/wireless connections. It would seem that the best way to solve your issue is to allow for NTLM authentication. That way if someone cannot be authenticated they will be forced to login via the browser rather than getting guest by default. This is also a way to solve the wireless issue I previously mentioned. Hope this all makes sense and will help.
Jeff_the_Network_Guy
New Contributor III

To followup with MikeMo reply, I can say that when I recently setup multiple collectors I had to manually add them to the DCAgent registry setting. I' m not sure how else you' re supposed to do it honestly. Check under HKLM\Software\Fortinet\FSAE\DCAgent\CA
----------------(-- Jeff
----------------(-- Jeff
Silver

Hi, This post looks really interesting to my issues that I am facing right now with FSSO. I have 5 domain controllers and under 2 dc's I have installed FSSO full setup which included the dc agent + collector agent. And on the other 3 dc's I have installed only dc agent. My users are randomly getting internet connectivity issues. Sometime theyr are able to getting internet and sometime not. What could be done to resolved this kind issues. I really want to understand the logic that on all dc's where the dc agent have been installed we need to add or edit registry to add both collector IP address. If am wrong plz correct me. And can someone send me a print screen of the registry setting how and where exactly we need to add both collector ip address. And what will happen after we add the collector ip address in the registry.
Silver

Hi, This post looks really interesting to my issues that I am facing right now with FSSO. I have 5 domain controllers and under 2 dc's I have installed FSSO full setup which included the dc agent + collector agent. And on the other 3 dc's I have installed only dc agent. My users are randomly getting internet connectivity issues. Sometime theyr are able to getting internet and sometime not. What could be done to resolved this kind issues. I really want to understand the logic that on all dc's where the dc agent have been installed we need to add or edit registry to add both collector IP address. If am wrong plz correct me. And can someone send me a print screen of the registry setting how and where exactly we need to add both collector ip address. And what will happen after we add the collector ip address in the registry.
Labels
Top Kudoed Authors