Fortinet Document Library

Version:


Table of Contents

6.0.0
Download PDF
Copy Link

DC agent mode and polling mode

This section describes the DC agent mode and polling mode referenced in this document.

note icon

DC agent mode is sometimes called agent mode, and polling mode is sometimes called agent-less mode.

FSSO for Windows AD requires at least one CA. DC agents may also be required depending on the CA working mode. There are two working modes to monitor user logon activity: DC agent mode or polling mode.

 

DC agent mode

Polling mode

Installation

Complex — multiple installations: one agent per DC plus CA, requires a reboot

Easy — only CA installation, no reboot required

Resources

Shares resources with DC system

Has own resources

However, if polling is done from CA installed on DC, then DC resources are used.

Network load

Each DC agent requires minimum 64kpbs bandwidth, adding to network load

Advanced users might increase polling period during busy period to reduce network load

Confidence level

Captures all logons

For NetAPI mode, potential to miss a login if polling period is too great

DC agent mode is the standard mode for FSSO. In DC agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and pass the information to the CA, which stores the information and sends it to the FortiGate unit. DC agent mode provides reliable user logon information, however you must install a DC agent on every domain controller. A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use DC agent mode.

In polling mode, the CA polls port 445 of each DC for user logon information every few seconds and forwards it to the FortiGate unit. A major benefit of polling mode is that no FSSO DC agents are required. If it is not possible to install FSSO DC agents on your domain controllers, this is the alternate configuration available to you. Polling mode results in a less complex install. The minimum permissions required in polling mode are to read the event log or call NetAPI.

Note that you should always configure more than one CA. If using DC agents, ensure all DC agents are aware of all CAs.

You should also add service accounts to the Ignore User List in the CA to avoid having service account logins overwrite end user logins on the same workstation.

DC agent mode and polling mode

This section describes the DC agent mode and polling mode referenced in this document.

note icon

DC agent mode is sometimes called agent mode, and polling mode is sometimes called agent-less mode.

FSSO for Windows AD requires at least one CA. DC agents may also be required depending on the CA working mode. There are two working modes to monitor user logon activity: DC agent mode or polling mode.

 

DC agent mode

Polling mode

Installation

Complex — multiple installations: one agent per DC plus CA, requires a reboot

Easy — only CA installation, no reboot required

Resources

Shares resources with DC system

Has own resources

However, if polling is done from CA installed on DC, then DC resources are used.

Network load

Each DC agent requires minimum 64kpbs bandwidth, adding to network load

Advanced users might increase polling period during busy period to reduce network load

Confidence level

Captures all logons

For NetAPI mode, potential to miss a login if polling period is too great

DC agent mode is the standard mode for FSSO. In DC agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and pass the information to the CA, which stores the information and sends it to the FortiGate unit. DC agent mode provides reliable user logon information, however you must install a DC agent on every domain controller. A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use DC agent mode.

In polling mode, the CA polls port 445 of each DC for user logon information every few seconds and forwards it to the FortiGate unit. A major benefit of polling mode is that no FSSO DC agents are required. If it is not possible to install FSSO DC agents on your domain controllers, this is the alternate configuration available to you. Polling mode results in a less complex install. The minimum permissions required in polling mode are to read the event log or call NetAPI.

Note that you should always configure more than one CA. If using DC agents, ensure all DC agents are aware of all CAs.

You should also add service accounts to the Ignore User List in the CA to avoid having service account logins overwrite end user logins on the same workstation.