Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Liza1
New Contributor III

How to setup agentless polling on AD server

Hello! I need help with setting up agentless polling configuration on FortiGate.

I have a FortiGate device and an AD server where our company's users are located. I've been exploring the option of using agentless polling to implement and monitor these AD users in FortiGate. I'm having trouble adding FSSO-CA (FSSO Agent on Windows AD).

I can see the server and can telnet using port 445, but the FSSO-CA status shows as disconnected. Could the issue be related to the user? What privileges and rights does this user need? How should I correctly configure this setup so that FSSO Agent on Windows AD can see FortiGate and function properly?

Please assist me.
#FortiGate FortiAuthenticator FortiAnalyzer 

1 Solution
ebilcari
Staff
Staff

If you want to use direct polling without a collector agent installed on the AD/DC you should configure "Poll Active Directory Server".

If you are choosing "FSSO Agent on Windows AD" you will need the collector installed on the AD as shown in this article. This communication is done on port 8000.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
Yurisk
SuperUser
SuperUser

If you ask about agent-less (direct) polling, see what I said here https://community.fortinet.com/t5/Support-Forum/Poll-AD-Server/td-p/324005 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Liza1
New Contributor III

do the FSSO need additional license? or can it work on a device without license? 

Yurisk

No, you don't need any additional license for FSSO, just regular FortiCare for your Fortigate so that you can download FSSO Agent install .msi from support.fortinet.com

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
hbac
Staff
Staff

Hi @Liza1,

 

The following debugs on FortiGate will be useful:

 

# diagnose debug application fssod -1
# diagnose debug application smbcd -1
# diagnose debug en

 

Regards, 

ebilcari
Staff
Staff

If you want to use direct polling without a collector agent installed on the AD/DC you should configure "Poll Active Directory Server".

If you are choosing "FSSO Agent on Windows AD" you will need the collector installed on the AD as shown in this article. This communication is done on port 8000.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors