Fortinet black logo

Administration Guide

FortiClient SSO Mobility Agent

FortiClient SSO Mobility Agent

The FortiClient SSO Mobility Agent is a feature of FortiClient Endpoint Security. The agent automatically provides user name and IP address information to FortiAuthenticator for transparent authentication. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator. When the user logs off or otherwise disconnects from the network, FortiAuthenticator is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent Service must be enabled in Fortinet SSO Methods > SSO > General. See Enable FortiClient SSO Mobility Agent Service

Setup of the FortiClient SSO Mobility Agent uses standard Msiexec installation switches as well as FortiClient SSO switches, including SSOSERVER, SSOPORT, and SSOPSK. For example: FortiClientSSO.msi /qn /i SSOSERVER="1.2.3.4" SSOPORT="8001" SSOPSK="pre_shared_key".

For additional Msiexec installation switches, see Microsoft's documentation on command-line options.

For information on configuring FortiClient, see the FortiClient Administration Guide for your device.

Fake client protection

Some attacks are based on a user authenticating to an unauthorized AD server in order to spoof a legitimate user logon through the FortiClient SSO Mobility Agent. You can prevent this type of attack by enabling NTLM authentication (see Enable NTLM).

FortiAuthenticator will initiate NTLM authentication with the client, proxying the communications only to the legitimate AD servers it is configured to use.

If NTLM is enabled, FortiAuthenticator requires NTLM authentication when:

  • the user logs on to a workstation for the first time,
  • the user logs off and then logs on again,
  • the workstation IP address changes,
  • the workstation user changes,
  • and NTLM authentication expires (user configurable).

FortiClient SSO Mobility Agent

The FortiClient SSO Mobility Agent is a feature of FortiClient Endpoint Security. The agent automatically provides user name and IP address information to FortiAuthenticator for transparent authentication. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator. When the user logs off or otherwise disconnects from the network, FortiAuthenticator is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent Service must be enabled in Fortinet SSO Methods > SSO > General. See Enable FortiClient SSO Mobility Agent Service

Setup of the FortiClient SSO Mobility Agent uses standard Msiexec installation switches as well as FortiClient SSO switches, including SSOSERVER, SSOPORT, and SSOPSK. For example: FortiClientSSO.msi /qn /i SSOSERVER="1.2.3.4" SSOPORT="8001" SSOPSK="pre_shared_key".

For additional Msiexec installation switches, see Microsoft's documentation on command-line options.

For information on configuring FortiClient, see the FortiClient Administration Guide for your device.

Fake client protection

Some attacks are based on a user authenticating to an unauthorized AD server in order to spoof a legitimate user logon through the FortiClient SSO Mobility Agent. You can prevent this type of attack by enabling NTLM authentication (see Enable NTLM).

FortiAuthenticator will initiate NTLM authentication with the client, proxying the communications only to the legitimate AD servers it is configured to use.

If NTLM is enabled, FortiAuthenticator requires NTLM authentication when:

  • the user logs on to a workstation for the first time,
  • the user logs off and then logs on again,
  • the workstation IP address changes,
  • the workstation user changes,
  • and NTLM authentication expires (user configurable).