Hello All,
I have Fortinet Single Sign-On (FSSO) Agent installed in DC Agent mode on both of my domain controllers (DC01 and DC02).
Is there anything else I can check to resolve this issue? I have not yet reinstalled the FSSO agent on DC02.
Any guidance would be greatly appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The most typical cause is Windows Firewall blocking it.
Make sure you allow the traffic on the Collector's side. In this case it will be incoming UDP/8002.
Hi,
Please let us know if the collector agent is configured in active or passive mode. Normally, the Fortigate connects to the primary FSSO agent (DC agent 01) and retrieves the users showed in the logon user list. If a user A appears in the user logon list of the DC02 agent but does not appear in the DC01 agent, the Fortigate will not collect the user A from the DC02.
ALso you can refer the below document for multiple FSSO agent connect to Mutiple FSSO CA server.
Regards
Jamal Hussain
Thank you, Jamal.
It seems that I have configured something incorrectly. Allow me to provide more information:
On the FortiGate firewall, I have configured only one the FSSO Agent External Connector.
My DC01 has the IP address 172.16.65.2 and DC02 has 10.1.0.9.
As you can see above, DC01 is currently active. When I restart DC01, the DC02 automatically becomes active.
I can confirm that user A appears in the user logon list of the DC02 agent but does not appear in the DC01 agent, meaning that the user log event is not present on both Collection Agents.
I believe I previously had two External Connectors configured, one for DC01 and another for DC02. For some reason, I decided that the best practice is to have only one External Connector, and I only added the IP address of the secondary FSSO.
Would the best practice be to create a second External Connector as described in the technical tip "Technical Tip: Configuring Multiple FSSO Agents to Connect to Multiple FSSO CA Servers Monitoring the Same Domain/Groups"?
Hi @mrmIT
You should check to which CA is FGT connected at that time, FGT can only communicate with one CA at one time only. If this info is collected from DC Agent and this info it transferred to both CA ,FGT can poll this info from CA to which is connected. So you have to make sure that this user log event is present on both CA.
Hi @mrmIT
You must ensure that log events have been received by both domain controllers Also verify you are monitoring both Domain controller in the collector agent settings in DC01 /DC02.
Regards
Jamal Hussain
Assuming both DCs server the same domain, the expected configuration and behaviour is as follows:
FortiGate has one FSSO object, with both Collectors' addresses.
The CLI interpretation could look like this:
config user fsso
edit <some name>
set server <DC1 address>
set server2 <DC2 address>
[...]
end
Behaviour: FortiGate rotates through the list of Collectors on a failover basis, always keeping a connection with only one Collector.
As a consequence, all Collector Agents are expected to posses the same information, for the entirety of the domain. In other words, all Collectors must poll login information from all relevant Domain Controllers (or other sources). Collector1 needs to talk to DC1 and DC2, Collector2 needs to talk to DC1 and DC2.
@jhussain_FTNT @pminarik @rbraha
Thank you everyone. The situation is as follows: DC01 - 172.16.65.2 is the main collector for most of the time. In the Show Monitored DCs option, DC02 - 10.1.0.9 is not visible. When I go into Select DC to monitor, I see both DC01 and DC02 selected. I click OK, and a "please wait" window appears, but DC02 does not show up in the list of active DC agents. When I checked DC02, everything looks fine there, and it is monitoring both DCs.
So, the collector on DC01 monitors only DC01, while the collector on DC02 monitors both DC02 and DC01. What could be the reason that DC02 is not being added to the list?
Kindly verify both the collector agent IP address is added in DC02 as shown in the below image.
Regards
Jamal Hussain
I do not have a graphical interface. I can install it after hours because it seems that I will need to restart DC02. However, here is a screenshot from the system registry on DC01.
and DC02
The most typical cause is Windows Firewall blocking it.
Make sure you allow the traffic on the Collector's side. In this case it will be incoming UDP/8002.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.