Configuring FSSO advanced settings
Depending on your network topologies and requirement, you may need to configure advanced settings in the
FSSO Colloctor agent.To do so, from the Start menu, select Programs > Fortinet > Fortinet Single Sign-On Agent > Configure Fortinet Single Sign-On Agent, then from the Common Tasks section, select Advanced Settings.
This section include :
l General settings l Citrix/Terminal server l Exchange server l RADIUS accounting
General settings
In the General tab, enter the following information and select OK.
Worker thread count | Number of threads started in the CA process. Default is 128 on CA version 5.0.0241. |
Maximum FortiGate connections | Number of FortiGates can be connected to the CA. Default is 64. |
Group look-up interval | The interval in seconds to lookup users/groups. If an AD group membership of currently logged on user, CA can detect this and update information on the FortiGate. Enter 0 for no checking. |
Windows security Event logs | Choose the event logs to poll. |
Event IDs to poll | The default set (0) includes Kerberos authentication event logs : 672 for
Windows server 2003, 4768 for Windows server 2008 and 2012 and NTLM authentication event logs : 680 for Windows server 2003, 4776 for Windows server 2008 and 2012. The extended set (1) includes Kerberos service ticket event logs : 673 for Windows server 2003, 4769 for Windows server 2008 and 2012. Service tickets are obtained whenever a user or computer accesses a server on the network. List the event ids separated by “;”. |
Workstation Check | Optionally enable Use WMI to check user logoff for the collector agent to query whether users is still logged on. |
Workstation Name Resolution Advance Options |
Support Citrix/Terminal Server Virtual IP Environment | When Citrix server are configured with VIP, CA can get user logon events from theses server. Citrix changed their interface and data format so version of Citrix server is important. |
Citrix server before version 6.0 | Enable this option if you Citrix server version is before 6.0. |
Server list | Enter the list of servers separated by colon. |
Citrix server version
6.0 or later, or Terminal Server |
Enable this option if you Citrix server version is 6.0 or later. |
Server list | Enter the list of servers separated by colon. |
advanced settings
Alternative DNS server(s) | Collector Agent uses the DNS server configured on the machine it is running on by default. If CA should use another DNS server then one or more alternative DNS server can be configured here. |
Alternative workstation suffix(es) | If only host name is available CA uses the default domain suffix to build a FQDN for DNS queries. In case CA should use a different suffix, it can be configured as well. |
Citrix/Terminal server
In the Citrix/Terminal server tab, enter the following information and select OK. advanced settings
Exchange server
FSSO supports monitoring Microsoft Exchange server. This is useful for situation that the user use the domain account to access their email, but client device might or might not be in the domain. Support for Exchange server is configured on the Back-end FSSO collector agent under Advanced Settings > Exchange Server.
Select Add and enter the following information and select OK.
Domain Name | Enter your domain name. |
Server IP/Hostname | Enter the IP address or the hostname of your exchange server. |
Polling forwarded event log | This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server. If you enable this, instead of the IP of the Exchange server configured in the previous step, you must then configure the IP of this member server. CA will then contact the member server. |
Ignore Name | Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ESEventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.
To do so, enter the domain name in the Ignore Name field and select Add. |
RADIUS accounting
A RADIUS server must be configured in your network to send accounting messages to the Collector Agent which can be configured to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:
l Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the Collector Agent. User group names do not need to be added for all users, only to the accounts of users who will use RADIUS Accounting feature on the Collector Agent. l Configure your accounting system to send RADIUS Start records to the Collector Agent.
The Collocter Agent should be configured to listen for RADIUS accounting messages as following.
RADIUS Accounting Server | |
Enable RADIUS
Accounting Server |
Enable this option to allow the CA to gather information about authenticated users via a RADIUS server and send these information to the FortiGate unit for monitoring. |
Listen port | The port on which CA listens for RADIUS accounting messages. Default RADIUS accounting is 1813, but if RADIUS server sends accounting messages on different port, value can be configured here. |
Shared secret | Common secret between CA and RADIUS server. |
Default domain name | This should be the AD domain for which this CA is configured. In this case user name in RADIUS accounting message can be in simple format like user1.
If this value is empty, then user name in RADIUS accounting message must be in one of these formats user1@domain, Domain\user1 or domain/user1. CA will use user name and domain to query group membership of user. Client IP address (Framed IP) should also be in RADIUS accounting message, so that CA can forward user name, IP address and groups to the FortiGate. |