Monitoring user logon events | By default, this is enabled to automatically authenticate users as they log on to the Windows domain. Disable the Monitor feature only if you have a large network where this feature will slow responses too much. | |
Support NTLM authentication | By default, this is enabled to facilitate logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. | |
Collector Agent Status | Shows RUNNING when Collector agent is active. | |
Listening ports | You can change FSSO Collector Agent related port numbers if necessary. | |
FortiGate | TCP port for FortiGate units. Default 8000. | |
DC Agent | UDP port for DC Agents. Default 8002. | |
Logging | ||
Log level | Select the minimum severity level of logged messages. | |
Log file size limit (MB) | Enter the maximum size for the log file in MB. | |
View Log | View all Fortinet Single Sign On agent logs. | |
Log logon events in separate logs | Record user login-related information separately from other logs. The information in this log includes • data received from DC agents • user logon/logoff information • workstation IP change information • data sent to FortiGate units | |
View Logon Events | If Log logon events in separate logs is enabled, you can view user login-related information. | |
Authentication | ||
Require authenticated connection from FortiGate | Select to require the FortiGate unit to authenticate before connecting to the Collector agent. | |
Password | Enter the password that FortiGate units must use to authenticate. The maximum password length is 16 characters. The default password is “fortinetcanada”. | |
Timers | ||
Workstation verify interval (minutes) | Enter the interval in minutes at which the Fortinet Single Sign On Collector agent connects to client computers to determine whether the user is still logged on. The default is every 5 minutes. The interval may be increased if your network has too much traffic. Note: This verification process creates security log entries on the client computer. If ports 139 or 445 cannot be opened on your network, set the interval to 0 to prevent checking. See “Configuring FSSO ports”. | |
Dead entry timeout interval | Enter the interval in minutes after which Fortinet Single Sign On Agent purges information for user logons that it cannot verify. The default is 480 minutes (8 hours). Dead entries usually occur because the computer is unreachable (such as in standby mode or disconnected) but the user has not logged off. A common reason for this is when users forget to logoff before leaving the office for the day. You can also prevent dead entry checking by setting the interval to 0. | |
IP address change verify interval | Fortinet Single Sign On Agent periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change. IP address verification prevents users from being locked out if they change IP addresses, as may happen with DHCP assigned addresses. Enter the verification interval in seconds. The default is 60 seconds. You can enter 0 to prevent IP address checking if you use static IP addresses. This does not apply to users authenticated through NTLM. | |
Cache user group lookup result | Enable caching. Caching can reduce group lookups and increase performance. | |
Cache expire in (minutes) | Fortinet Single Sign On Agent caches group information for logged-in users. Enter the duration in minutes after which the cache entry expires. If you enter 0, the cache never expires. A long cache expire interval may result in more stale user group information. This can be an issue when a user’s group information is changed. | |
Clear Group Cache | Clear group information of logged-in users. This affects all logged-in users, and may force them to re-logon. |
To view the version and build number information for your FSSO Collector Agent configuration, selecting the Fortinet icon in the upper left corner of the Collector agent Configuration screen and select About Fortinet Single Sign On Agent configuration. |