- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO with Multiple DC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO with Multiple DC
Dear All,
Can someone clear me in this scenario.
i am using four domain controller on my network and installed fsso dc agent on the four domain controller. After that under authentication on fortigate i created four single sign on separately and all four connected but i only see groups appears on the first single sign on agent on the remain three no user group appears. can you confirm if its normal or abnormal.
And out of four domain controller only the first two FSSO DC agent active 1 i see and the remain 2 saying active 0 does it normal or not. while checking on the fsso dc agent itself under monitor dc.
users are connect to any four domain at the same time.
example one user can connect to dc1 another user can connect to dc 4 randomly.
waiting reply plz
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe the way you have it is fine. Listing multiple DCs on one FGT is for backup/failover purposes. The agents on all the DCs relay amongst one another all the login and IP information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Veechee thanks for the reply but it' s not really clear for me!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This design is imho unnecessary. What you can have is like 2 Collector Agents installed on two DC' s (for redundancy). Only one Collector Agent will be connected to FortiGate at any given time. If the connected Collector Agent fails for any reason, FortiGate will switch to another one down in the list. Just create one FSSO and in config enter two IP addresses. In standard mode then select groups for monitoring in Collector Agent. Then in Collector Agent specify DC' s that should be monitored for logon events. Both Collector Agent in fact will be monitoring logons yet only one will be sending info to FortiGate. I would suggest to use DC agent mode as it is considered most reliable.
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. You may need to install the Collector Agent at the DC1 with step in the link
Technical Tip : FSAE Standard mode installation procedure (Step by Step guide)
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31882&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=29647444&stateId=0%200%2029645986
1.1)Then you just need to follow the path in the DC1 to get " nstalldcagent" from DC1 to install in DC2 ,DC3 ,DC4. (So only DC1 will have the Collector Agent with GUI. But for the other DC ,it may not have.)
For 64 bits
C:\Program Files (x86)\Fortinet\FSAE\installdcagent
For 32 bits.
C:\Program Files\Fortinet\FSSO\installdcagent
(And it will has uninstalldcagent for you to use to uninstall only the DC agent also. )
and copy " installdcagent" from DC1 to install to DC 2 ,DC3 ,and DC4.
When you install ,it will ask the information of the Collector Agent that you may need to put in
Collector Agent IP address : (The AD server that has the Collector Agent (DC1) ,Collector agent with GUI and DC agent installed. )
Collector Agent listening port : (The default is 8002 )
Fortigate Newbie
Fortigate Newbie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a hint,
I would personally not recommend to use Collector Agent (Set Directory Access information) Standard mode as it does not support nested AD groups > which is quite common scenario.
In advance mode the easiest setup would be to select monitored AD groups from Collector Agent which will then send AD groups to be used as a set member attribute in group configuration to FortiGate. in FSSO configuration LDAP is then not required.
when this change in Collector Agent is done you may want to run:
execute fsso refresh in CLI
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you use DC Agents without Collector Agents ? I don' t think so !!
If you gave 4 Dcs please install DC agents on all 4 , but Collector agent required only on 2 for redundancy
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly are all 4 domain controllers ADCs of each other ? In that case please install Collector agent only on two Domain Controllers.
You can install DC Agent on all 4 domain controllers.
Please login to Collector agent on both DCs and click " Show monitored DCs" It should show all 4 DCs on both Collector Agents.
in Fortigate GUI create only one SSO Profile and add two Collector Agents under same SSO Profile.
No need to create 4 SSO Profiles.
more thoughts anyone ?
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Related Posts
- Kerberos authentication 15 Views
- High CPU usage on Fortiswitches and... 98 Views
- Webfilter license won't work despite having... 161 Views
- Fortinet external AD Connector and retrieving... 138 Views
- How can I automatically block the... 305 Views
Labels
-
FortiGate
6,759 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.