Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jevakmeni
New Contributor

Setting up FSSO on Fortigates outside the corp office - Showing down

We have the corp office setup with local LDAP and an FSSO collector. We are able to set policies based on groups which is great, thanks to some of the posts of this forum.

We are setting up a Fortigate thats in another office 50 miles away. I set LDAP to the local domain controller over there. I set the FSSO collector info. Its able to pull groups, etc but the FSSO collector shows down. I'm pointing it to the Corp FSSO collector.

The firewall policy allows all traffic back to corp. Do I have to setup a FSSO collector at each office? The DC Agents are installed on domain controllers. Not sure why its showing down.

Anyone else able to setup a FSSO on a remote Fortigate and have it connect back to the collector at the Corp office?

2 REPLIES 2
ndumaj
Staff
Staff

Hello,
Ensure that firewalls are allowing the FSSO required ports through.
FSSO has a number of required ports that must be allowed through all firewalls or connections will fail. These include: ports 139, 389 (LDAP), 445, 636 (LDAP) 8000, and 8002.
Also check the password that you are using to connect FGT Firewall with FSSO collector agent.
Review the following articles:
https://community.fortinet.com/t5/FortiGate/TroubleshootingTip-General-troubleshooting-for-FSSO/ta-p...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-collect-FSSO-collector-agent-DC-age...
BR

smayank
Staff
Staff

Hello

So there is one recommendation to allow port 8000,8002  on sever side.
Some times server rejects request initiated by fortigate please check configuration.
Here is the link to allow port on AD

https://community.fortinet.com/t5/FortiGate/Technical-Note-Allowing-FSSO-Ports-when-using-Windows-Se...

Thanks & Regards 
Mayank Sharma