Professional Documents
Culture Documents
FORTIGATE - Identity - FSSO - Installation and Configuration
FORTIGATE - Identity - FSSO - Installation and Configuration
This article guides technical staff through the setup and configuration of Identity integration using the
Fortinet Single Sign-on (FSSO) Collector Agent
Article Content
In addition to attributing internet activity to a specific user for reporting purposes, users’ group membership
can be used to enforce a customised filtering policy for different user groups i.e. students, teachers, and
Year 9s can all have different filtering rules applied to them.
Prerequisites
In order to follow the steps in this guide, you, your school's network, and your devices will need to meet the
following prerequisites:
Timeframe
Completing the steps in this guide typically takes between 15-20 minutes per Active Directory Domain
Controller server.
A server reboot will be required at the end of the installation.
In order for the N4L Managed Router to receive authentication events from your school’s directory, an FSSO
Collector Agent needs to be installed on your school's Primary and Secondary Domain Controllers. The
FSSO Collector Agent is a small software program which notifies the N4L Managed Router when users
authenticate to the network. This process associates Active Directory usernames with the corresponding
internet traffic passing through the N4L Managed Router.
In addition to the FSSO Collector Agent, an FSSO Domain Controller Agent must be installed on the FSSO
Collector Agent servers, and may also be installed on any additional domain controllers you may have in your
school network. The FSSO Domain Controller Agent passes authentication notifications to the FSSO
Collector Agent to ensure all authentication events are properly captured, regardless of which domain
controller a user authenticates against.
The following high-level design diagram shows the flow of authentication events and the responsibility
boundaries for FSSO.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 1/14
12/07/2020 Identity: FSSO - Installation and Configuration
Installing the FSSO Collector Agent and Domain Controller Agent package
1. Download the appropriate FSSO Collector Agent installer for your operating system version.
FSSO Collector Agent (x32) - For 32 Bit Windows Operating Systems (https://www.google.com/url?
q=https://www.n4l.co.nz/wp-
content/uploads/clients/FSSO_Setup_5.0.0275.exe&sa=D&source=hangouts&ust=155449997665400
0&usg=AFQjCNEPmMudNPdVnSDBQS-UPM25p-jUuA)
FSSO Collector Agent (x64) - For 64 Bit Windows Operating Systems (https://www.google.com/url?
q=https://www.n4l.co.nz/wp-
content/uploads/clients/FSSO_Setup_5.0.0275_x64.exe&sa=D&source=hangouts&ust=15544999766
54000&usg=AFQjCNHWRfZzrOw6HKaxCUtwgt_HU3_99w)
3. Enter an elevated username and password, which will be used to run the service.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 2/14
12/07/2020 Identity: FSSO - Installation and Configuration
Please Note: It is good security practice to create a service account (an account only used
4. On the Install Options page, make sure that both boxes are checked. Set the access method to
Advanced, and then click Next.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 3/14
12/07/2020 Identity: FSSO - Installation and Configuration
7. This starts the Domain Controller agent install (required on the Primary and Secondary DC servers of
your network).
Note: If you have additional Domain Controllers which authenticate network users, please con
This standalone client allows authentication event log messages to be sent to the N4L Manage
8. The DC Agent install wizard will guide you through setup. The first step is to bind the service to the
server's IP address.
9. Enter the server's local IP address and port 8002. Click Next.
10. From the pre-populated list, select the domains to be monitored by the FSSO agent. Click Next.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 4/14
12/07/2020 Identity: FSSO - Installation and Configuration
11. From the pre-populated list of users, select any users to be EXEMPTED from monitoring by the FSSO
agent. Click Next.
Important Note: DO NOT monitor accounts which are used for software updates, installations,
If you monitor these accounts, internet activity will be attributed to the admin accounts an
12. Select both Primary and Secondary DC controllers for your domain, and set the working mode to DC
Agent Mode. Click Next to start the installation.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 5/14
12/07/2020 Identity: FSSO - Installation and Configuration
13. A server reboot is required to complete the installation. Click No if you wish to reboot the server at a
more convenient time, or Yes to commence the reboot. This will finish the installation wizard.
14. Repeat Steps 2 through 13 for the Secondary Domain Controller, if your School Network has one.
After Reboot
Once the DC server has rebooted, the next step is to open and configure the Fortinet Single Sign-On Agent.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 6/14
12/07/2020 Identity: FSSO - Installation and Configuration
17. In the Agent Configuration window that appears, tick the Required Authentication from FortiGate box,
and enter a secure password.
Note: Take note of this authentication password and provide it to the N4L Engineer configuri
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 7/14
12/07/2020 Identity: FSSO - Installation and Configuration
18. If there is a firewall controlling communications to/from your domain controllers, the following ports
need to be allowed for successful communication.
UDP 8002 (Between CAs and DCAs, which may be the same server)
TCP 8000 (Between CAs and N4L Managed FortiGate device)
TCP 389 (Between CAs and N4L Managed FortiGate device
TCP 139 or 445 (Between CAs and User Devices) if using SMB (see Step 19)
You can safely ignore this step if no third party or Windows firewall is active in the LAN.
19. It is recommended to automatically capture user logoff events to ensure that user traffic is not
mistakenly attributed to the first user of the day who logged onto a shared device.
1. Using the SMB protocol via the registry. This requires that ports TCP 139 and 445 are allowed
through any active firewalls on the school LAN (between Collector Agents and User Devices).
2. Use WMI to check user logoff events. This requires the WMI service to be enabled on both the
Windows DC Servers and the client devices.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 8/14
12/07/2020 Identity: FSSO - Installation and Configuration
On Cutover day: Verify Connectivity with N4L Managed FortiGate Device and User Logon Capture
Once the N4L Engineer confirms the FSSO configuration on the N4L Fortigate is completed:
1. On the Primary DC Server, verify the connectivity between the FSSO Collector Agent and Fortigate by
opening FSSOA Configuration and clicking on Show Service Status
If connectivity is established, the N4L Managed FortiGate Device serial number and IP address will appear in
the service status dialog box.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 9/14
12/07/2020 Identity: FSSO - Installation and Configuration
Note: Secondary DCs will not show in this list unless connectivity to the Primary DC is lost
2. Verify both the Primary DC agent (and Secondary DC agent if configured) are registered on the FSSO
Agent by clicking on Show Monitored DCs
3. Verify the logged-on users registered with the FSSO Agent by clicking on Show Logon Users
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 10/14
12/07/2020 Identity: FSSO - Installation and Configuration
4. Test connectivity to a workstation to verify the log-off event will be registered by clicking Test
Workstation for one of the logged in users
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 11/14
12/07/2020 Identity: FSSO - Installation and Configuration
Any other output may indicate a failure of connectivity with the Workstation and reflects the possibility of not
capturing log off events.
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 12/14
12/07/2020 Identity: FSSO - Installation and Configuration
If logoff event capture is not set up, the first user logged into a device will have all traffic attributed to their
user account until
Identity-aware filtering policies based on AD groups will be configured in partnership with your N4L
Migration Engineer per your requirements; both during your school migration and after.
Single Sign-On options are available for Windows AD server, Citrix Terminal Services, and also Radius
Server (RSSO)
Any further inquiries can be directed to your dedicated N4L Migration Engineer who will work with you to
ensure your needs are covered.
Alternatively please call our friendly helpdesk team on 0800 LEARNING, who will be happy to help.
Title
Identity: FSSO - Installation and Configuration
URL Name
Identity-FSSO-Installation-and-Configuration
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 13/14
12/07/2020 Identity: FSSO - Installation and Configuration
Related Articles
Log a case
(https://twitter.com/n4lnz?lang=en)
(https://nz.linkedin.com/company/the-network-for-learning-ltd-n4l-)
(https://www.facebook.com/N4LNZ/)
https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 14/14