6/28/2021 Identity: FSSO - Installation and Configuration

Identity: FSSO - Installation and Configuration

This article guides technical staff through the setup and configuration of Identity integration using the Fortinet Single Sign-on (FSSO) Collector Agent

FSSO - Installation and Configuration on an Active Directory Domain

Fortinet Single Sign-On (FSSO) is the mechanism your N4L Managed FortiGate Firewall uses to transparently receive  user identity information - from login
events against Directory servers such as Microsoft Active Directory.

In addition to attributing internet activity to a specific user for reporting purposes, users’ group membership can be used to enforce a customised filtering
policy for different user groups i.e. students, teachers, and Year 9s can all have different filtering rules applied to them.

Prerequisites

In order to follow the steps in this guide, you, your school's network, and your devices will need to meet the following prerequisites:

Your network must have at least one Active Directory Domain Controller.

You must have access to an Administrator account that can install software on the Domain Controller.

Timeframe

Completing the steps in this guide typically takes between 15-20 minutes per Active Directory Domain Controller server.
A server reboot will be required at the end of the installation.

Pre-Cutover Activities: Download and Install the FSSO agent applications

In order for the N4L Managed Router to receive authentication events from your school’s directory, an FSSO Collector Agent needs to be installed on your
school's Primary and Secondary Domain Controllers. The FSSO Collector Agent is a small software program which notifies the N4L Managed Router when users
authenticate to the network. This process associates Active Directory usernames with the corresponding internet traffic passing through the N4L Managed Router.

In addition to the FSSO Collector Agent, an FSSO Domain Controller Agent must be installed on the FSSO Collector Agent servers, and may also be installed
on any additional domain controllers you may have in your school network. The FSSO Domain Controller Agent passes authentication notifications to the FSSO
Collector Agent to ensure all authentication events are properly captured, regardless of which domain controller a user authenticates against.

The following high-level design diagram shows the flow of authentication events and the responsibility boundaries for FSSO.

Figure 1: FSSO Responsibility Boundaries

Installing the FSSO Collector Agent and Domain Controller Agent package

1. Download the appropriate FSSO Collector Agent installer for your operating system version.

FSSO Collector Agent (x32) - For 32 Bit Windows Operating Systems

FSSO Collector Agent (x64) - For 64 Bit Windows Operating Systems

2. On your Primary Domain Controller, run the installer e.g. FSSO_Setup_5.0.0275_x64.exe

3. Click Next to continue.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 1/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 2: The Installer

3. Enter an elevated username and password, which will be used to run the service.

Please Note: It is good security practice to create a service account (an account only used by one service e.g. FSSO) w

Figure 3: Specify a Username and Password for the FSSO Agent

4. On the Install Options page, make sure that both boxes are checked. Set the access method to Advanced, and then click Next.

✅ Monitor User logon events and send the information to FortiGate.

✅ Serve NTLM authentication requests coming from FortiGate.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 2/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 4: Check both boxes and choose Advanced before continuing

5. Setup will proceed.

6. On the final page of the wizard, ensure that Launch DC Agent Install Wizard is checked, and then click Finish.

Figure 5: Check the DC Agent Install box before continuing

7. This starts the Domain Controller agent install (required on the Primary and Secondary DC servers of your network).

Note: If you have additional Domain Controllers which authenticate network users, please contact an N4L Engineer or the

This standalone client allows authentication event log messages to be sent to the N4L Managed Router via the Collector

8. The DC Agent install wizard will guide you through setup. The first step is to bind the service to the server's IP address.
9. Enter the server's local IP address and port 8002. Click Next.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 3/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 6: In this example, the Server's Local IP is 10.1.29.12

10. From the pre-populated list, select the domains to be monitored by the FSSO agent. Click Next.

Figure 7: Selecting Domains to be Monitored for Login Events

11. From the pre-populated list of users, select any users to be EXEMPTED from monitoring by the FSSO agent. Click Next.

Important Note: DO NOT monitor accounts which are used for software updates, installations, and other services that run

If you monitor these accounts, internet activity will be attributed to the admin accounts and not the user of the devic

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 4/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 8: Selecting User Accounts to be exempted from Login Event monitoring

12. Select both Primary and Secondary DC controllers for your domain, and set the working mode to DC Agent Mode. Click Next to start the installation.

Figure 9: Selecting the Domain Controllers

13. A server reboot is required to complete the installation. Click No if you wish to reboot the server at a more convenient time, or Yes to commence the
reboot. This will finish the installation wizard.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 5/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 10: The reboot dialogue box

14. Repeat Steps 2 through 13 for the Secondary Domain Controller, if your School Network has one.

After Reboot

Once the DC server has rebooted, the next step is to open and configure the Fortinet Single Sign-On Agent.

FSSOA can be found in the Start Menu.

15. Click Start, and search for Fortinet

16. Click on Configure Fortinet Single Sign-On Agent

Figure 11: The Configure Fortinet application in Start Menu

17. In the Agent Configuration window that appears, tick the Required Authentication from FortiGate box, and enter a secure password.

Note: Take note of this authentication password and provide it to the N4L Engineer configuring your service. This passw

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 6/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 12: The configuration window

18. If there is a firewall controlling communications to/from your domain controllers, the following ports need to be allowed for successful communication.

UDP 8002 (Between CAs and DCAs, which may be the same server)
TCP 8000 (Between CAs and N4L Managed FortiGate device)
TCP 389 (Between CAs and N4L Managed FortiGate device
TCP 139 or 445 (Between CAs and User Devices) if using SMB (see Step 19)

You can safely ignore this step if no third party or Windows firewall is active in the LAN.

Figure 13: Port Explanation

19. It is recommended to automatically capture user logoff events to ensure that user traffic is not mistakenly attributed to the first user of the day who logged
onto a shared device.

There are two options to achieve this outcome:

1. Using the SMB protocol via the registry. This requires that ports TCP 139 and 445 are allowed through any active firewalls on the school LAN (between
Collector Agents and User Devices).
2. Use WMI to check user logoff events. This requires the WMI service to be enabled on both the Windows DC Servers and the client devices.

To enable the WMI Workstation Check:

1. Click Advanced Settings
2. Tick the box Use WMI to check user logoff

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 7/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 14: WMI Workstation Check

On Cutover day: Verify Connectivity with N4L Managed FortiGate Device and User Logon Capture

Once the N4L Engineer confirms the FSSO configuration on the N4L Fortigate is completed:

1. On the Primary DC Server, verify the connectivity between the FSSO Collector Agent and Fortigate by opening FSSOA Configuration and clicking
on Show Service Status

If connectivity is established, the N4L Managed FortiGate Device serial number and IP address will appear in the service status dialog box.

Figure 15: Connection verified

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 8/12
6/28/2021 Identity: FSSO - Installation and Configuration

Note: Secondary DCs will not show in this list unless connectivity to the Primary DC is lost.

2. Verify both the Primary DC agent (and Secondary DC agent if configured) are registered on the FSSO Agent by clicking on Show Monitored DCs

Figure 16: DCs verified

3. Verify the logged-on users registered with the FSSO Agent by clicking on Show Logon Users

You should see active usernames appearing in this list.

Both Primary and Secondary DCs will show this information.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 9/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 17: Users verified

4. Test connectivity to a workstation to verify the log-off event will be registered by clicking Test Workstation for one of the logged in users

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 10/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 18: Test Workstation Button

Observe the output: User is still logged on or User is not logged on

Any other output may indicate a failure of connectivity with the Workstation and reflects the possibility of not capturing log off events.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 11/12
6/28/2021 Identity: FSSO - Installation and Configuration

Figure 19: Observe the Test Workstation Result

Logoff Behaviour without Logoff Event Monitoring

If logoff event capture is not set up, the first user logged into a device will have all traffic attributed to their user account until

The configured idle timer expires (default: 5 minutes)

The first user logs onto another device with a different IP address, where the user is only allowed one simultaneous login.

https://support.n4l.co.nz/s/article/Identity-FSSO-Installation-and-Configuration 12/12