Description
This article describes how to configure TS-Agent, which seamlessly allows multiple user connections simultaneously, allowing restricted access based on user credentials.
TS-Agent is a Terminal Services FSSO Agent that allows user authentication based on source port ranges assigned to each authenticated user, unlike DC-Agent or FSSO polling mode, which are IP based authentication.
The Terminal Server (TS) agent can be installed on a Citrix, VMware Horizon 7.4, or Windows Terminal Server (Such as jump server) to monitor user logons in real time.
Scope
For Fortinet Single Sign On (FSSO) TS-Agent.
Solution
Download the 'TSAgent_Setup- .exe' or '-msi package' from the support portals download section.
It is located in the FSSO directory within the FortiGate firmware downloads.
Installation of it is as follows:
After the TS-Agent has been installed, the option to set the following parameters such as port ranges and number of port ranges per user is proposed.
Note that the secure communication option is only available for use with FortiAuthenticator and not with FSSO CA.
If Secure communication is used, make sure the firewall allows TCP port 8002, if unsecured communication UDP port 8002.
Note that the secure communication option is only available for use with FortiAuthenticator and not with FSSO CA.
If Secure communication is used, make sure the firewall allows TCP port 8002, if unsecured communication UDP port 8002.
Verifying TS-Agent users on the collector agent.
Logon user list on collector agent.
Note that by default both TS-Agent and EventLog/DC-Agent types of logon events will be seen which in some environments can cause undesired authentication issues.
When a user logs into a terminal server with a TS Agent installed, this typically generates two FSSO sessions:
- One session with an IP and a port-range (sourced from the TS Agent).
- One standard session for the whole IP, no port ranges (sourced from event log polling/DC Agent/NetAPI)
To ensure correct authentication, all terminal server IP addresses need to be added in the Collector Agent’s registry key dc_agent_ignore_ip_list:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragentValue name: 'dc_agent_ignore_ip_list'
Value data: semicolon-separated list of IPs to ignore by the Collector Agent
This will drop non-TS-Agent FSSO sessions for those IPs (event log polling, DC Agent, NetAPI)
Verifying FortiGate user Auth list and Session List:
# diagnose debug authd fsso list | grep USER1
IP: 172.31.128.12 User: USER1 Groups: CN=USER1,CN=USERS,DC=HARSHAVARDHAN,DC=COM+CN=ATTACKERS,CN=USERS,DC=HARSHAVARDHAN, DC=COM Workstation: 172.31.128.12!HARSHAVARDHAN!0000000
MemberOf: Admin Tsagent Domain Users- FSSO Session ID: 1 Port Range(2): 1024-1223 1224-1423
Session List:
session info: proto=6 proto_state=01 duration=565 expire=3577 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=USER1 auth_server=FSSO Agent state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=4079/35/1 reply=4958/41/1 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=3->4/4->3 gwy=10.40.63.254/172.31.128.12
hook=post dir=org act=snat 172.31.128.12:1087->172.217.194.189:443(10.40.48.17:61503)
hook=pre dir=reply act=dnat 172.217.194.189:443->10.40.48.17:61503(172.31.128.12:1087)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=8 auth_info=6 chk_client_info=0 vd=0
serial=01f5964d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0total
session 1
Same result could be verified by the below command
# diagnose firewall auth list | grep USER1
Note that traffic with with no ports such as ICMP or generated by applications like SMB which does not use the user port-range assigned by TS Agent, will not match with the identity based policy.
As a result, they will be dropped by FortiGate. TS Agent can only intercept traffic initiated by a user process.
Related articles:
Technical Tip: Excluding IP addresses from FSSO logon events
Technical Tip: Terminal Server Agents and SMB Shared Folders
