Created on 07-20-2021 08:49 AM Edited on 11-25-2021 02:02 AM By Anthony_E
Description
This article describes an interaction between FortiAuthenticator and TS Agent that can cause user sessions to go missing from FortiAuthenticator unexpectedly.
Solution
In environments with terminal servers and Fortinet Single-Sign-On (FSSO), under some circumstances user sessions might be missing from FortiAuthenticator, and thus cause dependent FortiGates to not identify the traffic correctly.
In particular, this can happen for very long-lasting terminal server/RDP sessions.
This arises from how Terminal Server (TS) Agent handles logins, and a timeout setting on FortiAuthenticator:
- Terminal Server Agent only reports new user sessions to FortiAuthenticator and the assigned port ranges; it does not keep track or inform FortiAuthenticator of persisting user sessions
- FortiAuthenticator has a hard timeout configured for Single-Sign-On sessions under Fortinet SSO Methods -> SSO -> General, the 'Logon Expiry' timer:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.