Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

FSSO and Windows Server DNS

Hi experts,

 

I am troubleshooting an issue with FSSO and usernames, and I realized that the customer's DNS where the FSSO is installed is a mess, some workstations with 2 IPs (2 A records), others with 6 IPs, and most of them with wrong IP addresses (wrong A records). I would like to know if this is the main thing I have to troubleshoot, or if this is the repository where the collector agent is fed to link usernames and IP addresses. Please can you confirm?

 

Regards,

Julián

3 Solutions
Fishbone_FTNT

Hi Julian, DNS workstation resolution is absolutely critical for FSSO. If forward entries are wrong, so will be FSSO logons. Basically workstation name in logon list is periodically rechecked (forward DNS), based on "IP verification interval" setting in FSSO CA list. It's a separate thread doing just this.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

Fishbone_FTNT

Hi Julian, > How does the collector agent know the IP address of the username?

First of all, collector gets logon info from a) DCAgent/TSAgent or b) from poller thread, polling DC directly for logon events from security event log. Collector remembers as the key component the workstation name and username logged on it. This is very important concept of FSSO CA, and FSSO generally.  One workstation can be associated to up to 4 IP addresses at once.

 

IP check thread:

Workstation is being periodically resolved, to get IP addresses of that workstation. All changes detected are immediately reflected in logon list on FSSO CA, and of course also on all FSSO clients connected - FortiGates.

 

Workstation check thread:

To keep track if the user is still logged on, we have separated thread in FSSO CA. It also iterates the logon list, and attempts to connect to all workstations in it. It uses WMI or RRA. If it succeeds to connect and user is there, FSSO CA maintains the workstation's status OK (it is satisfactory to connect to single IP address belinging to workstation to claim all IP addresses of that workstation OK). If it can't connect, workstation status transits to 'Not Verified'. In this state takes "Dead entry timeout interval" to remove workstation from logon list.

 

> What happens when there are multiple A records of different dates for the same IP address?

 

If one DNS A entry points to the same IP address as the other, it could be problem, and I think logon will be removed from previously learned workstation in favor of the new one.

This is however generally the problem on DNS side, such a situation should not happen to workstations.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

Fishbone_FTNT

Hi Julian,

> 1. How does collector agent resolve workstation IP address? Through DNS server, right?

Yep. It uses system DNS services. If you go to "Advanced" settings, you can specify your own set of DNS servers (separated by semicolon;). You can also specify additional DNS domain suffixes, for example if you have more complicated DNS, where workstation could be ie. WKS1.domain, or also WKS1.sub.domain.

 

> 2. What do you exactly mean with "This is however generally the problem on DNS side, such a situation should not happen to workstations."? Yeah, not really precise answer. I meant simply if two workstation records point to single IP address, it's a issue in DNS and should be fixed.

 

Generally speaking if you hit issue check:

1/ workstation DNS (issues with DNS updates)

2/ workstation verify status. If 'Not verified', do adjustments FSSO CA can reach WMI/RRA on wks, so workstation remains in OK state and is not removed after expiry.

 

In long term maintenance:

1/ use syslog for logging (yes, it supports syslog logging, no huge logs on system drive anymore)

2/ observe and fix 'Not Verified' workstations to the state that you have good confidence that 'not verified' is host unplugged from network and not just unreachable WMI service

3/ be aware that detection can be slower than user; logon can reach fortigate later than user's PC activity - have fallback authentication (ie. NTLM).

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

6 REPLIES 6
Fishbone_FTNT

Hi Julian, DNS workstation resolution is absolutely critical for FSSO. If forward entries are wrong, so will be FSSO logons. Basically workstation name in logon list is periodically rechecked (forward DNS), based on "IP verification interval" setting in FSSO CA list. It's a separate thread doing just this.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

fjulianom

Hi Fishbone,

 

Thanks for your interest. Two more question about this:

 

1. How does the collector agent know the IP address of the username? I know the collector agents uses a DNS server to associate usernames with IP addresses, but the DNS server has workstations and IP addresses and not usernames.

 

2. What happens when there are multiple A records of different dates for the same IP address? What A record does the collector agent use? The newest one? The first one it finds?

 

Regards,

Julián

Fishbone_FTNT

Hi Julian, > How does the collector agent know the IP address of the username?

First of all, collector gets logon info from a) DCAgent/TSAgent or b) from poller thread, polling DC directly for logon events from security event log. Collector remembers as the key component the workstation name and username logged on it. This is very important concept of FSSO CA, and FSSO generally.  One workstation can be associated to up to 4 IP addresses at once.

 

IP check thread:

Workstation is being periodically resolved, to get IP addresses of that workstation. All changes detected are immediately reflected in logon list on FSSO CA, and of course also on all FSSO clients connected - FortiGates.

 

Workstation check thread:

To keep track if the user is still logged on, we have separated thread in FSSO CA. It also iterates the logon list, and attempts to connect to all workstations in it. It uses WMI or RRA. If it succeeds to connect and user is there, FSSO CA maintains the workstation's status OK (it is satisfactory to connect to single IP address belinging to workstation to claim all IP addresses of that workstation OK). If it can't connect, workstation status transits to 'Not Verified'. In this state takes "Dead entry timeout interval" to remove workstation from logon list.

 

> What happens when there are multiple A records of different dates for the same IP address?

 

If one DNS A entry points to the same IP address as the other, it could be problem, and I think logon will be removed from previously learned workstation in favor of the new one.

This is however generally the problem on DNS side, such a situation should not happen to workstations.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

fjulianom

Hi Fishbone,

 

Very good explanation.

Then I understand collector agent resolves workstation IP address, and then knows which IP address belongs to that username, since collector knows workstation name and username logged on it.

 

1. How does collector agent resolve workstation IP address? Through DNS server, right?

2. What do you exactly mean with "This is however generally the problem on DNS side, such a situation should not happen to workstations."?

 

Many thanks for you help,

Julián

Fishbone_FTNT

Hi Julian,

> 1. How does collector agent resolve workstation IP address? Through DNS server, right?

Yep. It uses system DNS services. If you go to "Advanced" settings, you can specify your own set of DNS servers (separated by semicolon;). You can also specify additional DNS domain suffixes, for example if you have more complicated DNS, where workstation could be ie. WKS1.domain, or also WKS1.sub.domain.

 

> 2. What do you exactly mean with "This is however generally the problem on DNS side, such a situation should not happen to workstations."? Yeah, not really precise answer. I meant simply if two workstation records point to single IP address, it's a issue in DNS and should be fixed.

 

Generally speaking if you hit issue check:

1/ workstation DNS (issues with DNS updates)

2/ workstation verify status. If 'Not verified', do adjustments FSSO CA can reach WMI/RRA on wks, so workstation remains in OK state and is not removed after expiry.

 

In long term maintenance:

1/ use syslog for logging (yes, it supports syslog logging, no huge logs on system drive anymore)

2/ observe and fix 'Not Verified' workstations to the state that you have good confidence that 'not verified' is host unplugged from network and not just unreachable WMI service

3/ be aware that detection can be slower than user; logon can reach fortigate later than user's PC activity - have fallback authentication (ie. NTLM).

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

fjulianom

Hi Fishbone,

 

Very clear :)

Thanks very much for the explanation and your recommendations.

 

Regards,

Julián

Labels
Top Kudoed Authors