Hot!FSSO Advanced with DC Agents - Is there a way to track IP changes

Author
Grasmuis
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/17 08:03:26
  • Status: offline
2017/08/18 00:52:56 (permalink)
0

FSSO Advanced with DC Agents - Is there a way to track IP changes

Hi All
 
I have a customer with Advanced FSSO and DC Agents, all seem to be working fine. Some of their users switch between LAN and WiFi without logging out of their system - picking their laptop up and walking to a different building and into a different subnet. Subsequently the FSSO loses the AD Account and IP pairing and naturally their traffic is marked as 'Guest' (valid internal IP, no authentication as source).
 
They are not using the FortiAPs.
 
What are my options in getting their browsing to work seamlessly when moving between LAN and WiFi subnets?
 
Edit: Just as an added note here, I've read other threads from years ago that refer to enabling NTLM, DNS or DHCP tweaks, etc. Are these solutions still valid? Would the FSSO software not been updated since then? Is there a more recent thread that discusses this issue?
 
Any pointers-in-the-right-directions are appreciated!
post edited by Grasmuis - 2017/09/05 03:21:52
#1

10 Replies Related Threads

    alago
    New Member
    • Total Posts : 20
    • Scores: 5
    • Reward points: 0
    • Joined: 2017/06/04 11:45:32
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 05:43:15 (permalink)
    4 (1)
    Hello Grasmuis!
     
    Is your DHCP service running on a Windows Server integrated withe your local domain? If yes, the FSSo should be receiving the ip change information trought the updates your DHCP do on your AD DNS.
     
    If you need to enable NTLM you must do so trought the CLI editing the firewall rules withe the FSSO groups.
     
    config firewall policy
    edit policy_id
    set ntlm enable
    end
     
    Enable the debug level in the FSSO Collector in order to find out more information that can help us come to a better conclusion.
     
     
    #2
    Grasmuis
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 08:03:26
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 05:59:29 (permalink)
    0
    Hi Alago
     
    I've done some more research on the matter since my post, but I'm still getting the same issue.
     
    I did enable NTLM on all the policies containing the FSSO groups.
     
    According to the customer, whether they switch between wireless or wired connection, they are always able to ping the DNS entry (unsure whether this refers to the PC name or the AD Account). So it seem that, on their end at least, the DNS is updated when the workstation switches between wired and wireless IPs.
     
    I should also mention that, with the workstation only using either wired or wireless, with the other disabled completely, everything is working fine. It's only on those workstations where users switch between the two mediums.
     
    I might be asking this question incorrectly, but : What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry? And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?
    #3
    Agent 1994
    Bronze Member
    • Total Posts : 40
    • Scores: 3
    • Reward points: 0
    • Joined: 2016/08/03 09:15:51
    • Location: Rosario, Santa Fe, Argentina
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 06:32:44 (permalink)
    5 (1)
    JacquesSA
     
    I might be asking this question incorrectly, but : What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry? And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?




    FSSO knows the workstation name and every 60 seconds (default) will look it up to see if the IP changed.
    In theory, the switch from wifi to wired -and viceversa- should be seen within 60 seconds.
     
    The thing about Windows DHCP + DNS is that the workstation should register itself on the DNS server vía a dynamic update. If it does that, the owner of the DNS record is the workstation (just like when you create a file and you're it's owner). Windows DHCP server has the option of registering DNS records on behalf of the workstation when it doesn't support dynamic updates... or it can always do that if you configure it to do so.
     
     Then... let's say that the DHCP on "segment A" registered the record on behalf of the workstation, then you switch to "segment B" where the workstation register themselves on DNS... they wont be able because the DNS record is owned by the DHCP server.
     
     If you can see the IP change when do yo nslookup from the collector, it should be working.
    #4
    Grasmuis
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 08:03:26
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 06:38:25 (permalink)
    0
    So if I'm understanding this correctly, it's about who the 'owner' of the DNS record is. If it's the workstation, whether it changes between wired or wireless, the workstation will update the DNS record with it's IP and the FSSO will 'see' this update, but if the ownder is the DHCP server, when the workstation changes IP, FSSO doesn't read the update?
     
    If the latter is the case, then the customer needs to make changes to the DHCP so that it does not register the DNS, but rather that the workstation registers the DNS?
     
    #5
    alago
    New Member
    • Total Posts : 20
    • Scores: 5
    • Reward points: 0
    • Joined: 2017/06/04 11:45:32
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 06:45:46 (permalink)
    5 (1)
    Hi
     
    What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry?
    When you ingress a PC to a Windows Domain, an entry A is automatcly created for this PC your DNS. If your DHCP is running over a windows server integrated to this domain, every time you have an IP change your DNS updates this A entry as well. That's why you can always resolve the hostname to the correctly ip address.
     
    And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?
    Actually the FSSO dont update anything. The FSSO collector receives that update change from the DC agents and send it to the Fortigate.
     
    So, if you have a fully functionnal DHCP and AD DNS your FSSO should be working just fine.
     
    Did you installed the DC Agent on every domain controller?
    Is your FSSO collector installed on a Windows server integrated to your local domain but without the domain controller function(e.g. Print Server, IIS...)?
    Do you have any firewall enabled between FSSO Collector, DC agents and Fortigate?
    Can you send a debug log from the FSSO Collector?
     
    Thanks in Advance
     
    #6
    Agent 1994
    Bronze Member
    • Total Posts : 40
    • Scores: 3
    • Reward points: 0
    • Joined: 2016/08/03 09:15:51
    • Location: Rosario, Santa Fe, Argentina
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 06:46:12 (permalink)
    4 (1)
    JacquesSA
    So if I'm understanding this correctly, it's about who the 'owner' of the DNS record is. If it's the workstation, whether it changes between wired or wireless, the workstation will update the DNS record with it's IP and the FSSO will 'see' this update, but if the ownder is the DHCP server, when the workstation changes IP, FSSO doesn't read the update?
     
    If the latter is the case, then the customer needs to make changes to the DHCP so that it does not register the DNS, but rather that the workstation registers the DNS?


    Yes, you may have this problem if the DNS records are not being updated when you switch from wired to wireless or viceversa (we had this problem at a customer's).
     
    Check if they're being updated, if they aren't take a look at this: https://technet.microsoft...dd334715(v=ws.10).aspx
    #7
    Grasmuis
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 08:03:26
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 08:19:28 (permalink)
    0
    @alago
     
    FortiOS = 5.4.3
    Collector agent installed in Advanced on their largest DC, DC agents installed in 3 other DCs. All show up on 'monitored DCs' tab.
    No other firewalls between DCs and Collector, nor between Collector and FortiGate.
    Attached debug log from the Forti, struggling to get a debug log from the remote machine, but will try to do so as soon as I am able (though that will most likely only be tomorrow).
     
    @Agent 1994
     
    Thanks for explaining that, if that's the case, I'll ask our network team to investigate their DHCP/DNS to confirm it's set up correctly.
    #8
    alago
    New Member
    • Total Posts : 20
    • Scores: 5
    • Reward points: 0
    • Joined: 2017/06/04 11:45:32
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/05 09:33:15 (permalink)
    5 (1)
    Hi,
     
    Collector agent installed in Advanced on their largest DC, DC agents installed in 3 other DCs. All show up on 'monitored DCs' tab.
    It's a best practice install the FSSO Collector in a non Domain Controller server.
     
    No other firewalls between DCs and Collector, nor between Collector and FortiGate.
    Not even the Windows Firewall? Please check if you have access to ports 389, 3268, 8002 from Fortigate to FSSO collector.
     
    2017-09-05 15:59:06 _event_error[Local FSSO Agent]: error occurred in read: Connection refused
    Viewin your log, seems to me that you have polling mode activated on your Fortigate.
     
    Please take a look over @xsilver_FTNT awnser at this tread: https://forum.fortinet.com/tm.aspx?m=140867
     
    Hope it helps. If not, ill wait for the collector debug log.
     
     
     
     
    #9
    Grasmuis
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/17 08:03:26
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/12 01:55:36 (permalink)
    0
    @Alago
     
    Sorry for the long wait, took a while to find someone who could get the log files for me. Had to cut the file a bit to keep under 200KB.
     
    Telnet from the Fortigate I can access the server where the Collector is on port 389, 3268 but *not* 8002.
     
    As for the Polling on the Fortigate, it shouldn't be running:
     
    # diagnose debug fsso-polling detail
    fsso daemon is not running

    #diagnose debug authd fsso server-status

    2017-09-12 10:45:59
    Server Name                          Connection Status     Version
    -----------                          -----------------     -------
    2017-09-12 10:45:59 RBK_FSSO                             connected             FSSO 5.0.0254
    2017-09-12 10:45:59 Local FSSO Agent                     waiting for retry     FSAE server 1.1
    2017-09-12 10:45:59 RBK_FSSO_LDAP                        connected             FSSO 5.0.0254
     
     
    Checked FSSO configs to be sure, definitely did not select polling when setting it up. The checkbox for that option isn't even present in my GUI.
     
    Are there any diagnose commands I can run to provide more information?
    #10
    romanr
    Platinum Member
    • Total Posts : 850
    • Scores: 14
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: FSSO Advanced with DC Agents - Is there a way to track IP changes 2017/09/12 03:07:07 (permalink)
    0
    JacquesSA
     Some of their users switch between LAN and WiFi without logging out of their system - picking their laptop up and walking to a different building and into a different subnet.



    Hey,
     
    my 2 cents: the only way to really reliable handle this is to use the SSO Agents on the clients and the FAC which will reult in additional licensing costs...
     
     
    Br,
    Roman
    #11
    Jump to:
    © 2017 APG vNext Commercial Version 5.5