Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Troubleshooting FSSO : After initial configuration, there is no connection to the Collector agent : Solution
  
Solution
If there are no network problems that can be identified, try the following solutions.
The Windows AD network must be configured before configuring the FortiGate unit. This includes the domain controller agents, and Collector agents.
Ensure the DC agents point to the correct collector agent port and IP address.
Ensure that TCP port 8000, and UDP port 8002 are not blocked.
FSSO is very dependent on DNS, ensure the forward DNS zone has no stale records and after adding it to the domain if the DNS entry is not in the zone add it.
An error in the DNI field on the FortiGate unit will prevent connections. Select the browse button next to the field to confirm it can connect correctly to the Windows AD server and return information. See
If the secure check box is selected, ensure that LDAP v3 is being used since earlier LDAP does not support secure TLS connections.
Ensure that the default LDAP ports are not being blocked on the network. These ports include port 389, and port 636. If you change the default ports, ensure both the FortiGate unit and the Windows AD server are using the same port numbers and that those ports are allowed through all firewalls on your network.
If you are using FSSO in polling mode, ensure that port 445 is not blocked by firewalls.