The FSSO_Setup file contains both the Collector agent and DC Agent installers, but the DC Agent installer is also available separately as either a .exe or .msi file named DCAgent_Setup.
To install the DC Agent
1. If you have just installed the Collector agent, the FSSO - Install DC Agent wizard starts automatically. Otherwise, go toStart > Programs > Fortinet > Fortinet Single Sign On Agent > Install DC Agent.
2. SelectNext.
3. Read and accept the license agreement. SelectNext.
4. Optionally, you can change the installation location. SelectNext.
5. Enter theCollector agent IP address.
6. If the Collector agent computer has multiple network interfaces, ensure that the one that is listed is on your network. The listedCollector agent listening port is the default. Only change this if the port is already used by another service.
7. SelectNext.
8. Select the domains to monitor and selectNext.
9. If any of your required domains are not listed, cancel the wizard and set up the proper trusted relationship with the domain controller. Then run the wizard again by going toStart > Programs > Fortinet >
Fortinet Single Sign On Agent > Install DC Agent.
10. Optionally, select users that you do not want monitored. These users will not be able to authenticate to FortiGate units using FSSO. You can also do this later. SeeConfiguring the FSSO Collector agent for Windows AD on page 144.
11. SelectNext.
12. Optionally, clear the check boxes of domain controllers on which you do not want to install the DC Agent.
13. Select theWorking Mode as DC Agent Mode. While you can select Polling Mode here, in that situation you would not be installing a DC Agent. For more information, seeDC Agent mode on page 131andPolling mode on page 132.
14. SelectNext.
15. SelectYes when the wizard requests that you reboot the computer.
If you reinstall the FSSO software on this computer, your FSSO configuration is replaced with default settings.
If you want to create a redundant configuration, repeat the Collector agent installation procedure on at least one other Windows AD server.
When you start to install a second Collector agent, cancel the Install Wizard dialog appears the second time. From the configuration GUI, the monitored domain controller list will show your domain controllers un-selected. Select the ones you wish to monitor with this Collector agent, and selectApply.
Before you can use FSSO, you need to configure it on both Windows AD and on the FortiGate units.Configuring FSSO on FortiGate units on page 163will help you accomplish these two tasks.
Installing FSSO without using an administrator account
Normally when installing services in Windows, it is best to use the Domain Admin account, as stated earlier. This ensures installation goes smoothly and uninterrupted, and when using the FSSO agent there will be no
permissions issues. However, it is possible to install FSSO with a non-admin account in Windows 2003 or 2008 AD.
The following instructions for Windows 2003 are specific to the event log polling mode only. Do not use this procedure with other FSSO configurations.
Windows 2003
There are two methods in Windows 2003 AD for installing FSSO without an admin account — add the non-admin user to the security log list, and use a non-admin account with read-only permissions. A problem with the first method is that full rights (read, write, and clear) are provided to the event log. This can be a problem when audits require limited or no write access to logs. In those situations, the non-admin account with read-only permissions is the solution.
To add the non-admin user account to the Windows 2003 security log list :
1. Go toDefault Domain Controller Security Settings > Security Settings > User Rights Assignment >
Manage auditing and security log.
2. Add the user account to this list.
3. Repeat these steps on every domain controller in Windows 2003 AD.
A reboot is required.
To use a non-admin account with read-only permissions to install FSSO on Windows 2003:
The following procedure provides the user account specified with read only access to the Windows 2003 AD Domain Controller Security Event Log which allows FSSO to function.
1. Find out the SID of the account you intend to use.
Tools for this can be downloaded for free fromhttp://technet.microsoft.com/en-us/sysinternals/bb897417.
2. Then create the permission string. For example:
l (A;;0x1;;;S-1-5-21-4136056096-764329382-1249792191-1107)
l Ameans Allow,
l 0x1means Read, and
l S-1-5-21-4136056096-764329382-1249792191-1107is the SID.
3. Then, append it to the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD 4. Repeat these steps on every domain controller in Windows 2003 AD.
A reboot is required.
Windows 2008
In Windows 2008 AD, if you do not want to use the Domain Admin account then the user account that starts the FSSO agent needs to be added to the Event Log Readers group.
When the user is added to the Event Log Readers group, that user is now allowed to have read only access to the event log and this is the minimal rights required for FSSO to work.