Dissolvable Agent
The Dissolvable Agent is an application that works on Windows, macOS or Linux hosts to identify them to FortiNAC. The agent scans them for compliance with an Endpoint Compliance Policy. This Agent is downloaded and installed on the host until the host passes the scan. The Agent then removes itself.
In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.
All version 2.2.6, 3.x and higher agents are signed except the Windows Dissolvable Agent. The Windows Dissolvable Agent is signed as of version 3.1.
Setup requirements and options
- Make sure the latest Agent Package is installed on the FortiNAC server.
- The Dissolvable Agent can be downloaded and installed by the user through the captive portal. The portal itself can be modified and personalized. Dissolvable Agent 3.1 (or higher) also has some settings in the portal under Agent > Dissolvable. See Portal configuration.
- If you are using Dissolvable Agent 3.X or higher, the FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a certificate authority. A self-signed certificate cannot be used.
- Dissolvable Agent Version 3.1 (or higher) discovers the server to which it should connect using DNS SRV records. If for any reason, it cannot discover the server, the user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection. Depending on your configuration you may need to supply this information to users running the Dissolvable Agent. See and .
Host requirements and options
- See the Operating System for Hosts section, which is found under System Compatibility in the Release Notes.
- For an overview of the host registration and scanning process using the Dissolvable Agent, refer to .
Using the Dissolvable Agent
The Persistent Agent only works with the (Undefined variable: User_Guide.ProductAbbrev) Control Server and (Undefined variable: User_Guide.ProductAbbrev) Application Server pair or the (Undefined variable: User_Guide.ProductAbbrev) Server. If the (Undefined variable: User_Guide.ProductAbbrev) Control Server is not paired with the (Undefined variable: User_Guide.ProductAbbrev) Application Server, the Dissolvable Agent must be used. |
If you have chosen to use the Dissolvable Agent to scan Windows or macOS systems, the Dissolvable Agent is downloaded to the host. Once the Dissolvable Agent runs and the host has successfully passed the scan, the agent is removed from the host.
In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.
Registration
When an unknown host connects to the network and attempts to access the Internet, an entry in the DNS server redirects the host to the Login page for registration.
During registration FortiNAC determines which Endpoint Compliance Policy should be applied to this host based on the User/Host Profile that the connecting user and host match.
Endpoint Compliance Policies contain a series of requirements for hosts that want to access the network. Endpoint Compliance Policies contain scans that are configured by the Administrator and are run by the Agent. Policy requirements can include scans for specific Anti-Virus, Operating System version and Custom Scans. Custom Scans are created by the Administrator. These allow the administrator to scan for the existence of things such as, a specific file, a registry entry, an installer package, a specific process or a domain.
The Endpoint Compliance Policy determines which agent is made available to the user for download, such as Dissolvable or Persistent.
Hosts connecting to the network will go through the process outlined below:
Version 3.1 and higher
- User connects to the network and is placed in Registration. The registration web page is displayed.
- User downloads the Dissolvable Agent to the default downloads location for the operating system.
- Run the downloaded file and install it on the device.
- After the Dissolvabe Agent is installed, run the program. An Agent window is displayed and remains on the screen until the user closes it.
- The Dissolvable Agent uses the DNS SRV records to locate the appropriate FortiNAC server.
- If the Dissolvable Agent cannot locate the server, a message is displayed asking for the URL of the server. The user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.
-
The Agent window displays the results of the scan.
- If the host fails scan, a Rescan button is displayed allowing the user to Rescan after correcting any issues.
- When the host passes the scan, the user closes the Agent window and the Dissolvable Agent dissolves.
Version 3.0 and lower
- User connects to the network and is placed in Registration. The registration web page is displayed.
- User downloads the Dissolvable Agent to the default Downloads location for their operating system.
- Run the downloaded file and install it on the device.
- After the Dissolvable Agent is installed, run the program. An Agent window is displayed and remains on the screen until the user closes it.
-
Once the security check has completed, the results are stored in a results.html file on the computer and launched in a browser. If the host failed to meet the requirements of the Endpoint Compliance Policy, the results page lists the items that failed and passed. The user must correct the issues indicated in the results page and run the Dissolvable Agent again.
You can configure a link to a separate page that provides information about items that failed and what to do to correct the problem. Enter this link when you configure the policy. See Endpoint compliance policies for more information.
If you do not provide a link, modify the failure page to provide information for the user to correct the problem and find assistance.
- If the host fails scan, the Dissolvable Agent remains on the host.
-
Once the user has corrected any issue(s) that caused the host to fail the scan, the Dissolvable Agent security check must be run again. The original Dissolvable Agent downloaded at the beginning of this process is still on the host and can be run again.
Navigate to the Desktop.
Double-click the Dissolvable Agent.exe file.
This process may need to be completed again if additional issues remain that cause the host to fail the Endpoint Compliance Policy.
- Once all the items causing the host to fail the policy have been corrected, the host is registered and the Success page is displayed in the browser. At this point the Dissolvable Agent file is removed from the host. The Dissolvable Agent does not remove itself from the host until the host successfully passes a security scan.