Agents used in FSSO implementation
This document refers to different FSSO agents that can be used in an FSSO implementation:
- Domain Controller (DC) agent
- eDirectory agent
- Citrix/Terminal Server (TS) agent
- Collector agent (CA)
Use this section to get familiar with the different agents referenced in this document.
Domain Controller agent
The DC agent must be installed on every domain controller if you will use DC agent mode, but is not required if you use polling mode. See DC agent mode and polling mode.
The eDirectory agent is installed on a Novell network to monitor user logons and send the required information to the FortiGate unit. It functions much like the Collector agent on a Windows AD domain controller.The agent can obtain information from the Novell eDirectory using either the Novell API or LDAP.
Citrix/Terminal Server (TS) agent
The Citrix/Terminal Server (TS) agent is installed on a Citrix terminal server to monitor user logons in real time. It functions much like the DC Agent on a Windows AD domain controller.
The CA is installed as a service on a server in the Windows AD network to collect and compile information about user logons, and then send the required information to the FortiGate unit or FortiManager unit, according to Group Filter settings. The CA can collect information from the following agents:
- DC agent (Windows AD)
- TS agent (Citrix Terminal Server)
In a Windows AD network, the CA can optionally obtain logon information by polling the AD domain controllers. In this case, DC agents are not needed.
The CA is responsible for DNS lookups, group verification, workstation checks, and as mentioned FortiGate updates of logon records. The FSSO CA sends AD group membership information to FortiGate units. The CA communicates with the FortiGate over TCP port 8000, and the DC and TS agents also use UDP port 8002 to update the CA.
When using the GUI, you can configure the FortiGate unit to have up to five CAs for redundancy. If the first on the list is unreachable, the next is attempted, and so on down the list until one is contacted. FortiGate does not fallback to a CA agent when a previously unreachable agents returns online again. FortiGate uses only one CA at a time.
All DC agents must point to the correct CA port number and IP address on domains with multiple DCs. If you want to achieve redundancy with two or more Collectors inside the same network, all the DC/TS agents must report to all CA agents.