Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mrmIT
New Contributor II

Issue with FSSO Agent Communication on secondary DC

Hello All,


I have Fortinet Single Sign-On (FSSO) Agent installed in DC Agent mode on both of my domain controllers (DC01 and DC02).

Observations:

  1. When a user logs into the network with DC01 as their logon server:
    • The user appears in the Show Logon Users list on the FSSO agent.
    • The collector forwards this information to FortiGate, and the user is also visible in the FSSO user list on FortiGate.
  2. When a user logs in with DC02 as their logon server:
    • The user appears in the Show Logon Users list on the FSSO agent on DC02.
    • However, this information is not forwarded to FortiGate.

Troubleshooting Steps Taken:

  • Verified that FortiGate can connect to both domain controllers on TCP/8000 without any issues.
  • Confirmed that the registry path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\CA contains the IP addresses of both DC01 and DC02 on both servers.
  • Confirmed the IP address of DC02 as a secondary-server in the FortiGate configuration.
  • Restarted FSSO services on both DC01 and DC02.
  • De-authenticated the user list on FortiGate.

Current Setup:

  • FSSO Agent version: 5.0.0.318 (installed on both servers).
  • FortiOS version: 7.2.10.

Questions:

Is there anything else I can check to resolve this issue? I have not yet reinstalled the FSSO agent on DC02.
Any guidance would be greatly appreciated.

1 Solution
pminarik

The most typical cause is Windows Firewall blocking it.

Make sure you allow the traffic on the Collector's side. In this case it will be incoming UDP/8002.

[ corrections always welcome ]

View solution in original post

12 REPLIES 12
mrmIT
New Contributor II

It looks like the problem was with the Windows Firewall, although it wasn't obvious at first since UDP port 8002 seemed to be listening on both servers (as shown by netstat -ao). When I tested the port using portqry (from a remote server: portqry.exe -n <Server_IP> -e 8002 -p UDP), I received a listening/filtering response on both servers. So, I created inbound rules on DC01 and DC02 to allow UDP port 8002. On DC01, I allowed UDP 8002 from DC02, and on DC02, I did the reverse. This immediately increased the list of Logon Users on DC01 as well as on the firewall.

 

Thank you all for your help!

mrmIT
New Contributor II

It looks like the problem was with the Windows Firewall, although it wasn't obvious at first since UDP port 8002 seemed to be listening on both servers (as shown by netstat -ao). When I tested the port using portqry (from a remote server: portqry.exe -n <Server_IP> -e 8002 -p UDP), I received a listening/filtering response on both servers. So, I created inbound rules on DC01 and DC02 to allow UDP port 8002. On DC01, I allowed UDP 8002 from DC02, and on DC02, I did the reverse. This immediately increased the list of Logon Users on DC01 as well as on the firewall. Thank you all for your help!

pminarik

The unfortunate trick is that the firewall won't prevent a process from binding to the socket and listening on a specific port (it will show up in netstat output, as you found out), it will only stop it from actually receiving those packets.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors