Technical Tip : FSAE Standard mode installation procedure (Step by Step guide)

Description
This article explains how to deploy FSAE in Standard Mode in an Active Directory environment.

Solution
The FSAE solution consists of two components. At least one Collector Agent must be installed on one Domain Controller, and the Domain Controllers DCAgent component must be installed on the other Domain Controllers.

Install the Collector agent on the selected Domain Controller.

1. Download the latest FSAE build from the Fortinet support site. The FSAE installation files are posted together with the firmware images in a FSAE folder. All FSAE builds are backward compatible so it is recommended to download latest build even if running an older firmware version. 2. Run the FSAE setup file.

http://kb.fortinet.com/ kb/microsites/search. do? cmd=displayKC&doc Type=kc&externalId= FD31882&sliceId=1& docTypeID=DT_KCA RTICLE_1_1&dialogI D=28153473&stateId =0%200% 2028151676

3. Select the Destination folder.

4. Specify Credentials to run FSAE service. The selected user name MUST be Domain Admin.

5. Accept the default settings to deploy FSAE in standard mode.

6. Wait for installer to copy all files and finish the installation. Make sure that the "Launch DC agent Install Wizard" check box is selected.

DCAgent Deployment
The DCAgent component could be pushed from the Collector Agent during FSAE installation or at any other time. There is also a standalone DCAgent installer available in case required ports for network installation are not available (tcp/139 and tcp/445). Ensure that the DCAgent component is installed on ALL domain controllers otherwise some logon events will be missed and as a result users will be recognized as guests or blocked (depends on the configuration). 1. If installing DCAgents during FSAE installation, make sure that the 'Launch DC agent Install Wizard' check box is selected before selecting the 'Finish' button. 2. Select Collector Agent IP address and communication port (use the defaults or specify custom settings).

3. Select the domain to be monitored (usually only one domain is displayed, if many domains are displayed select the required one from the list).

4. Select service accounts to be ignored (this is optional. Users can be added to the ignore list whenever needed.)

5. Select all Domain Controllers from the list. If FSAE is being deployed in a particular AD site make sure that all selected DCs are from this site only. Accept default (DC Agent) working mode.

6. Verify that DC Agent deployment was successful.

7.

Reboot all Domain Controllers. Select 'Yes' to perform a reboot.

8.

Select 'Finish' to complete the FSAE installation and reboot the Collector Agent Domain Controller.

Collector Agent Initial Configuration

1. After reboot open Start > program Files > Fortinet > Fortinet Server Authentication Extension > Config FSAE 2. Set logging level to Information (by default Warning is selected). This will be needed for further troubleshooting. Do not select Debug if not required by support engineer. Most events required for troubleshooting could be found when logging level set to Information, while Debug will clutter logs with excessive information and will use up allocated space within a few minutes

3. Specify custom password to communicate with FortiGate (default password is fortinetcanada)

FortiGate Configuration
1. Connect to WebUI and pen User > Directory Service > Click Create New Button 2. Fill object name and point it to IP address if the DC where Collector Agent was installed. Specify same password as configured on Collector Agent. If deploying more then one Collector agent enter it's IP below (Up to 5 Collector Agents can be deployed)

3. Click on Refresh button until you'll see your AD tree on FortiGate. You may configure group filter on Collector Agent if you'd like to see only particular groups on FortiGate instead of the whole AD tree. You may do this at this stage or any other time, just remember to refresh this view to apply filter

4. Map user group on FortiGate to Ad groups. User > user Groups > Create New 5. Make sure you set group type as Directory Service and select required user group from the list

Identity Based Policies

1. Open Firewall > policy and edit required policy properties 2. Enable identity based policies

3. Enable FSAE

4. Select groups and configure protocols, protection profile settlings. Enable logging if required

5. Repeat this step for each mapped group. Assign different protection profiles, allow different protocols as required 6. Add FSAE_Guest_users to identity based policies. Guests are users that are non members of you AD or members of the AD groups with are not included in Group filter. You may use one of the existing protection profiles or create dedicated one for guests only, depending on your Internet access policies

How to verify FSAE is working properly

1. Logon to one of the stations and access Internet resource 2. Use the CLI command from the FortiGate:

diagnose debug authd fsae list

If FSAE is working properly the output should be similar to the following example:

Lab-PLG # diagnose debug authd fsae list ----FSAE logons---IP: 192.168.1.230 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS IP: 192.168.1.240 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS Total number of users logged on: 2

----end of FSAE logons---3. The following successful FSAE authentication events should be seen in the FortiGate event log (Log & Report > Log Access > Remote or memory > Event Log:

4. To check server connectivity, run the following commands from CLI:

Lab-PLG # diagnose debug en Lab-PLG # diagnose debug authd fsae server-status Lab-PLG # Server Name ----------SBS-2003 Connection Status ----------------connected

Last Modified Date: 06-01-2010 Document ID: FD31882