Note: After upgrade of the Collector Agent, steps 1.3-1.4 have to be reapplied.
The following two steps (2 and 3) are only valid for the DC Agent mode. If using event log polling instead, these may be skipped.
2) Install/uninstall/upgrade DCAgent module:
2.1) It is required to be installed on all DCs used or will be used for picking up user logons for use with FSSO.
2.2) DCAgent installation from Collector Agent is a feature and it requires Collector Agent services to run under account with domain administrators permissions.
It needs to connect to remote DCs add/modify registry entries and copy dll file(s) to the Windows system directory.
This requirement could be avoided by manually installing DCAgent application on each of DCs. See next step.
2.3) Manual installation of DCAgent could be started with a DCAgent_Setup from the DC in question.
DCAgent_Setup_5.0.0282.exe: executable installation file for 32bit architecture
DCAgent_Setup_5.0.0282.msi: MSI package for 32bit architecture
DCAgent_Setup_5.0.0282_x64.exe: executable installation file for 64bit architecture
DCAgent_Setup_5.0.0282_x64.msi: MSI package for 64bit architecture
Note: After collector agent upgrade, the DCAgent has to be manually upgraded.
An upgrade of the DCAgent will require a reboot as the DCAgent core component is a DLL (“dcagent.dll”) hooked into the system.
See the KB on the Field "Related Articles" for more information about upgrade instructions.
Note: The manual installation needs to run with privileges of an account member of Local Administrators or Domain Administrators.
3) Limitations when Collector Agent using limited access permissions in DCAgent operation mode:
3.1) Collector Agent will not able to check DCAgent status, thus it is expected to shown '?' next to DCAgent under "DC Agent Status"\Select DC to Monitor".
3.2) All DCAgent registry changes like ignore list have to be updated manually on each of DC (for example: [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent\ignore_list])
3.3) This will not prevent DCAgent from sending login events to the Collector Agent.
4) A primary function (common for all operation modes) is the access to the AD and to poll users' group membership. In these examples lab tests the default "Domain Users" group has such privileges.
5) Permission restriction in Collector agent with WinSec and WMI modes:
5.1) In these modes Collector Agent needs to be able to login to DC and poll event logs. It requires the services account to be member of "Event Log Reader".
6) "Event Log Reader" is also required when a FortiGate is configured in Polling mode.
7) Additional restriction in Collector agent configuration.
It is a best practice to include the Collector Agent service account under the “Ignore User List”.
This is a domain account, but it is not expected that users will use this account. It also does not require internet access and login events could be ignored.