12/07/2020 Identity: FSSO - Installation and Configuration

Search... Log in or Sign up

(/s/) Articles Resources Community (/s/my-community) FAQs Contact (/s/contact-us)

Identity: FSSO - Installation and Configuration

This article guides technical staff through the setup and configuration of Identity integration using the
Fortinet Single Sign-on (FSSO) Collector Agent

5/04/2019 • Support Knowledge

Article Content

FSSO - Installation and Configuration on an Active Directory Domain

Fortinet Single Sign-On (FSSO) is the mechanism your N4L Managed FortiGate Firewall uses to transparently
receive  user identity information - from login events against Directory servers such as Microsoft Active
Directory.

In addition to attributing internet activity to a specific user for reporting purposes, users’ group membership
can be used to enforce a customised filtering policy for different user groups i.e. students, teachers, and
Year 9s can all have different filtering rules applied to them.

Prerequisites

In order to follow the steps in this guide, you, your school's network, and your devices will need to meet the
following prerequisites:

Your network must have at least one Active Directory Domain Controller.

You must have access to an Administrator account that can install software on the Domain Controller.

Timeframe

Completing the steps in this guide typically takes between 15-20 minutes per Active Directory Domain
Controller server.
A server reboot will be required at the end of the installation.

Pre-Cutover Activities: Download and Install the FSSO agent applications

In order for the N4L Managed Router to receive authentication events from your school’s directory, an FSSO
Collector Agent needs to be installed on your school's Primary and Secondary Domain Controllers. The
FSSO Collector Agent is a small software program which notifies the N4L Managed Router when users
authenticate to the network. This process associates Active Directory usernames with the corresponding
internet traffic passing through the N4L Managed Router.

In addition to the FSSO Collector Agent, an FSSO Domain Controller Agent must be installed on the FSSO
Collector Agent servers, and may also be installed on any additional domain controllers you may have in your
school network. The FSSO Domain Controller Agent passes authentication notifications to the FSSO
Collector Agent to ensure all authentication events are properly captured, regardless of which domain
controller a user authenticates against.

The following high-level design diagram shows the flow of authentication events and the responsibility
boundaries for FSSO.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 1/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 1: FSSO Responsibility Boundaries

Installing the FSSO Collector Agent and Domain Controller Agent package

1. Download the appropriate FSSO Collector Agent installer for your operating system version.

FSSO Collector Agent (x32) - For 32 Bit Windows Operating Systems (https://www.google.com/url?
q=https://www.n4l.co.nz/wp-
content/uploads/clients/FSSO_Setup_5.0.0275.exe&sa=D&source=hangouts&ust=155449997665400
0&usg=AFQjCNEPmMudNPdVnSDBQS-UPM25p-jUuA)
FSSO Collector Agent (x64) - For 64 Bit Windows Operating Systems (https://www.google.com/url?
q=https://www.n4l.co.nz/wp-
content/uploads/clients/FSSO_Setup_5.0.0275_x64.exe&sa=D&source=hangouts&ust=15544999766
54000&usg=AFQjCNHWRfZzrOw6HKaxCUtwgt_HU3_99w)

2. On your Primary Domain Controller, run the installer e.g. FSSO_Setup_5.0.0275_x64.exe

3. Click Next to continue.

Figure 2: The Installer

3. Enter an elevated username and password, which will be used to run the service.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 2/14
12/07/2020 Identity: FSSO - Installation and Configuration

Please Note: It is good security practice to create a service account (an account only used

Figure 3: Specify a Username and Password for the FSSO Agent

4. On the Install Options page, make sure that both boxes are checked. Set the access method to
Advanced, and then click Next.

✅ Monitor User logon events and send the information to FortiGate.

✅ Serve NTLM authentication requests coming from FortiGate.

Figure 4: Check both boxes and choose Advanced before continuing

5. Setup will proceed.

6. On the final page of the wizard, ensure that Launch DC Agent Install Wizard is checked, and then
click Finish.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 3/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 5: Check the DC Agent Install box before continuing

7. This starts the Domain Controller agent install (required on the Primary and Secondary DC servers of
your network).

Note: If you have additional Domain Controllers which authenticate network users, please con

This standalone client allows authentication event log messages to be sent to the N4L Manage

8. The DC Agent install wizard will guide you through setup. The first step is to bind the service to the
server's IP address.
9. Enter the server's local IP address and port 8002. Click Next.

Figure 6: In this example, the Server's Local IP is 10.1.29.12

10. From the pre-populated list, select the domains to be monitored by the FSSO agent. Click Next.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 4/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 7: Selecting Domains to be Monitored for Login Events

11. From the pre-populated list of users, select any users to be EXEMPTED from monitoring by the FSSO
agent. Click Next.

Important Note: DO NOT monitor accounts which are used for software updates, installations,

If you monitor these accounts, internet activity will be attributed to the admin accounts an

Figure 8: Selecting User Accounts to be exempted from Login Event monitoring

12. Select both Primary and Secondary DC controllers for your domain, and set the working mode to DC
Agent Mode. Click Next to start the installation.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 5/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 9: Selecting the Domain Controllers

13. A server reboot is required to complete the installation. Click No if you wish to reboot the server at a
more convenient time, or Yes to commence the reboot. This will finish the installation wizard.

Figure 10: The reboot dialogue box

14. Repeat Steps 2 through 13 for the Secondary Domain Controller, if your School Network has one.

After Reboot

Once the DC server has rebooted, the next step is to open and configure the Fortinet Single Sign-On Agent.

FSSOA can be found in the Start Menu.

15. Click Start, and search for Fortinet

16. Click on Configure Fortinet Single Sign-On Agent

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 6/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 11: The Configure Fortinet application in Start Menu

17. In the Agent Configuration window that appears, tick the Required Authentication from FortiGate box,
and enter a secure password.

Note: Take note of this authentication password and provide it to the N4L Engineer configuri

Figure 12: The configuration window

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 7/14
12/07/2020 Identity: FSSO - Installation and Configuration

18. If there is a firewall controlling communications to/from your domain controllers, the following ports
need to be allowed for successful communication.

UDP 8002 (Between CAs and DCAs, which may be the same server)
TCP 8000 (Between CAs and N4L Managed FortiGate device)
TCP 389 (Between CAs and N4L Managed FortiGate device
TCP 139 or 445 (Between CAs and User Devices) if using SMB (see Step 19)

You can safely ignore this step if no third party or Windows firewall is active in the LAN.

Figure 13: Port Explanation

19. It is recommended to automatically capture user logoff events to ensure that user traffic is not
mistakenly attributed to the first user of the day who logged onto a shared device.

There are two options to achieve this outcome:

1. Using the SMB protocol via the registry. This requires that ports TCP 139 and 445 are allowed
through any active firewalls on the school LAN (between Collector Agents and User Devices).
2. Use WMI to check user logoff events. This requires the WMI service to be enabled on both the
Windows DC Servers and the client devices.

To enable the WMI Workstation Check:

1. Click Advanced Settings
2. Tick the box Use WMI to check user logoff

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 8/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 14: WMI Workstation Check

On Cutover day: Verify Connectivity with N4L Managed FortiGate Device and User Logon Capture

Once the N4L Engineer confirms the FSSO configuration on the N4L Fortigate is completed:

1. On the Primary DC Server, verify the connectivity between the FSSO Collector Agent and Fortigate by
opening FSSOA Configuration and clicking on Show Service Status

If connectivity is established, the N4L Managed FortiGate Device serial number and IP address will appear in
the service status dialog box.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 9/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 15: Connection verified

Note: Secondary DCs will not show in this list unless connectivity to the Primary DC is lost

2. Verify both the Primary DC agent (and Secondary DC agent if configured) are registered on the FSSO
Agent by clicking on Show Monitored DCs

Figure 16: DCs verified

3. Verify the logged-on users registered with the FSSO Agent by clicking on Show Logon Users

You should see active usernames appearing in this list.

Both Primary and Secondary DCs will show this information.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 10/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 17: Users verified

4. Test connectivity to a workstation to verify the log-off event will be registered by clicking Test
Workstation for one of the logged in users

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 11/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 18: Test Workstation Button

Observe the output: User is still logged on or User is not logged on

Any other output may indicate a failure of connectivity with the Workstation and reflects the possibility of not
capturing log off events.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 12/14
12/07/2020 Identity: FSSO - Installation and Configuration

Figure 19: Observe the Test Workstation Result

Logoff Behaviour without Logoff Event Monitoring

If logoff event capture is not set up, the first user logged into a device will have all traffic attributed to their
user account until

The configured idle timer expires (default: 5 minutes)

The first user logs onto another device with a different IP address, where the user is only allowed one
simultaneous login.

Answers to Frequently Asked Questions

Identity-aware filtering policies based on AD groups will be configured in partnership with your N4L
Migration Engineer per your requirements; both during your school migration and after.
Single Sign-On options are available for Windows AD server, Citrix Terminal Services, and also Radius
Server (RSSO)

Any further inquiries can be directed to your dedicated N4L Migration Engineer who will work with you to
ensure your needs are covered.

Alternatively please call our friendly helpdesk team on 0800 LEARNING, who will be happy to help.

Title
Identity: FSSO - Installation and Configuration
URL Name
Identity-FSSO-Installation-and-Configuration

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 13/14
12/07/2020 Identity: FSSO - Installation and Configuration

Related Articles

Remote Access: Installation Guide (/s/article/Remote-Access-Installation-Guide) 707

Remote Access: FAQs (/s/article/Remote-Access) 668

Confirm Equipment Received (/s/article/Confirm-Equipment-Received) 159

How to use Telnet (to Check the Status of Ports) (/s/article/How-to-use-Telnet-to-Check-the-Status-of-Ports) 78.44K

Labelling Guidelines (/s/article/Labelling-Guidelines) 124

Don't see what you're looking for?

Ask the Community

Log a case

N4L Website (https://www.n4l.co.nz/)

About Us (https://www.n4l.co.nz/about-us/)
Terms (https://www.n4l.co.nz/terms/)

(https://twitter.com/n4lnz?lang=en)

(https://nz.linkedin.com/company/the-network-for-learning-ltd-n4l-)

(https://www.facebook.com/N4LNZ/)

Copyright © 2020 The Network for Learning Ltd.

Support Hub Terms (https://www.n4l.co.nz/website-use-terms/)

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 14/14