Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

GPO settings for high availability

Note

If you are using Persistent Agent version 3.X or higher, this issue does not apply.

For the Persistent Agent to communicate with a FortiNAC appliance the agent must know the name or IP address of that appliance. Group Policy Objects can leverage templates distributed by Fortinet to modify the host registry and provide the Persistent Agent with the hostname of the FortiNAC appliance. However, in a high availability environment, the agent must also know how to communicate with the secondary server in the event of a failover.

High availability or redundant servers can be set up in two ways. In an L2 or single subnet configuration, the FortiNAC servers share a virtual IP address and server name. In a failover situation, the transition is seamless because agents continue to communicate with the same virtual IP address or name no matter which FortiNAC appliance is in control. In an L3 environment where redundant servers are on different subnets, there is no shared IP address. The agent must know how to connect to both servers.

If you are running in a high availability environment, you must analyze the HA configuration, the version number of the agent being used and the method used to establish communication between the FortiNAC appliance and the Persistent Agent. You may need to alter the way you inform the Persistent Agent of the server name or IP address.

When a template is served to a host, the template writes to the following keys in the Windows registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Bradford Networks\Client Security Agent

The Persistent Agent key takes precedence over the Client Security Agent key. However, in an L3 environment with redundant servers on different subnets, if there is a fail over, FortiNAC can only update the value in the Client Security Agent key. Since the Persistent Agent key takes precedence, the agent does not communicate with the correct server.

The sections below provide an overview of successful configuration combinations for Persistent Agent / Server communication in a high availability environment. This is particularly important when hosts are configured using templates served by Group Policy Objects to modify the host registry.

Note

When FortiNAC is running on a Control Server/Application Server pair, the Persistent Agent communicates with the Application Server. Be sure to use the correct server name or IP address during configuration.

L2 high availability

In this environment, redundant servers share a virtual IP address and a server name. There are two options for configuring communication between the agent and the FortiNAC server.

Option 1: Use GPO to deliver a template

Use GPO to deliver a template to the host where the Agent is installed. All values in the template, including ServerIP can be configured. If the primary FortiNAC server fails over, the secondary server uses the same server name and virtual IP address, therefore, no change is required in the host registry.

Option 2: Use Persistent Agent properties

Navigate to Policy > Persistent Agent Properties > Security Management. Add the shared name of the primary and secondary FortiNAC servers. See Security management.

L3 high availability

In this environment, redundant servers are on different subnets and have different IP addresses. In this scenario, there is only one option.

You can use GPO to deliver a template to the host where the Persistent Agent is installed, however, you must NOT configure ServerIP in the template. It is important that the associated registry keys not be configured on the host.

You must navigate to Policy > Persistent Agent Properties > Security Management. Add the server name of both the primary and secondary FortiNAC servers.

In the event of a failover, the name of the secondary FortiNAC server is pushed to the Persistent Agent.

GPO settings for high availability

Note

If you are using Persistent Agent version 3.X or higher, this issue does not apply.

For the Persistent Agent to communicate with a FortiNAC appliance the agent must know the name or IP address of that appliance. Group Policy Objects can leverage templates distributed by Fortinet to modify the host registry and provide the Persistent Agent with the hostname of the FortiNAC appliance. However, in a high availability environment, the agent must also know how to communicate with the secondary server in the event of a failover.

High availability or redundant servers can be set up in two ways. In an L2 or single subnet configuration, the FortiNAC servers share a virtual IP address and server name. In a failover situation, the transition is seamless because agents continue to communicate with the same virtual IP address or name no matter which FortiNAC appliance is in control. In an L3 environment where redundant servers are on different subnets, there is no shared IP address. The agent must know how to connect to both servers.

If you are running in a high availability environment, you must analyze the HA configuration, the version number of the agent being used and the method used to establish communication between the FortiNAC appliance and the Persistent Agent. You may need to alter the way you inform the Persistent Agent of the server name or IP address.

When a template is served to a host, the template writes to the following keys in the Windows registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Bradford Networks\Persistent Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Bradford Networks\Client Security Agent

The Persistent Agent key takes precedence over the Client Security Agent key. However, in an L3 environment with redundant servers on different subnets, if there is a fail over, FortiNAC can only update the value in the Client Security Agent key. Since the Persistent Agent key takes precedence, the agent does not communicate with the correct server.

The sections below provide an overview of successful configuration combinations for Persistent Agent / Server communication in a high availability environment. This is particularly important when hosts are configured using templates served by Group Policy Objects to modify the host registry.

Note

When FortiNAC is running on a Control Server/Application Server pair, the Persistent Agent communicates with the Application Server. Be sure to use the correct server name or IP address during configuration.

L2 high availability

In this environment, redundant servers share a virtual IP address and a server name. There are two options for configuring communication between the agent and the FortiNAC server.

Option 1: Use GPO to deliver a template

Use GPO to deliver a template to the host where the Agent is installed. All values in the template, including ServerIP can be configured. If the primary FortiNAC server fails over, the secondary server uses the same server name and virtual IP address, therefore, no change is required in the host registry.

Option 2: Use Persistent Agent properties

Navigate to Policy > Persistent Agent Properties > Security Management. Add the shared name of the primary and secondary FortiNAC servers. See Security management.

L3 high availability

In this environment, redundant servers are on different subnets and have different IP addresses. In this scenario, there is only one option.

You can use GPO to deliver a template to the host where the Persistent Agent is installed, however, you must NOT configure ServerIP in the template. It is important that the associated registry keys not be configured on the host.

You must navigate to Policy > Persistent Agent Properties > Security Management. Add the server name of both the primary and secondary FortiNAC servers.

In the event of a failover, the name of the secondary FortiNAC server is pushed to the Persistent Agent.