Fortinet black logo

Administration Guide

Agent server communications

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:202305
Download PDF

Agent server communications

The sections below provide instructions for securing communications between the agent and the FortiNAC server with a trusted SSL certificate, setting up communication between the agent and the server, and the host registry settings or preferences that can be modified to customize Persistent Agent behavior.

Implementation

Update FortiNAC

Requires FortiNAC version 5.3.3 or higher to enable security.

You must have the latest Auto-Definition files installed. See Auto-definition updates.

Certificates

You must have a separate certificate for each FortiNAC server that runs the captive portal, such as the FortiNAC Application server or the stand-alone FortiNAC Server.

Certificates must be from a trusted certificate authority (CA), such as VeriSign, Thawte, or GeoTrust.

Self-signed certificates are not recommended. If you use a self-signed certificate, end users will receive constant pop-up warnings indicating that the site is not secure and asking them to confirm that they wish to continue. In addition, the Mobile Agent absolutely require a certificate from a trusted CA. The Mobile Agent cannot communicate with FortiNAC when Self-signed certificates are used.

If you already have a certificate that you are using to secure your portal, you can import that certificate into the FortiNAC server configuration and use it for both the portal and agent/server communications.

If you do not have a certificate for your portal, generate a certificate request and purchase a certificate. When the certificate is returned, import that certificate into the FortiNAC server configuration and use it for both the portal and agent/server communications.

Persistent Agent, Dissolvable Agent, and the Mobile Agent require the use of a certificate.

The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.

FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

For instructions on generating and installing SSL certificates, see the document entitled FortiNAC SSL Certificates How To.

DNS server configuration

If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard may cause communications issues.

Example:

Incorrect DNS suffix for reg: tech-reg.megatech.local

Correct DNS suffix for reg: tech.megatech-reg.edu

  • On upgrade to V6.0 or higher, SRV records indicating the port and FQDN of the FortiNAC appliance where the portal is located are automatically added to the domain.zone.* files for named. These files are created by the Configuration Wizard, which can also add the SRV records to the domain.zone.* files during the initial appliance configuration.
  • If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.
  • Any references to the FortiNAC server's FQDN in DNS must match the name in the certificate used to secure the portal.

    See DNS server configuration and Agent server discovery.

Server configuration

Note

If the time on FortiNAC is inaccurate and is updated after Agent Security is enabled, Agents may ignore packets received from the server until the agent is restarted because the new timestamp deviates significantly from previous timestamps.

Make sure that the server is configured to use NTP for time synchronization. Go to System > Settings > System Management > NTP and Time Zone to configure the NTP server. This is typically set during installation.

Host configuration

  • Host machines should not have the FQDN of the FortiNAC Server or Application Server in the hosts file on the hard drive. Typically network users would not have this information in their hosts file. However, administrator users may have the FQDN in their hosts file to accommodate accessing java applets. Modify the hosts file to use the short name, such as, qa233 instead of qa233.example.com. If a host has the FQDN in its hosts file, the Persistent Agent cannot communicate with the FortiNAC Server or Application Server and cannot register the host.
  • For Windows hosts, download and configure Administrative Templates for Group Policy Objects to update the registry on each host with values that pertain to agent security.
  • For macOS hosts, update Preferences to provide security values to the agent.

See Persistent Agent on Windows.

Agent server communications

The sections below provide instructions for securing communications between the agent and the FortiNAC server with a trusted SSL certificate, setting up communication between the agent and the server, and the host registry settings or preferences that can be modified to customize Persistent Agent behavior.

Implementation

Update FortiNAC

Requires FortiNAC version 5.3.3 or higher to enable security.

You must have the latest Auto-Definition files installed. See Auto-definition updates.

Certificates

You must have a separate certificate for each FortiNAC server that runs the captive portal, such as the FortiNAC Application server or the stand-alone FortiNAC Server.

Certificates must be from a trusted certificate authority (CA), such as VeriSign, Thawte, or GeoTrust.

Self-signed certificates are not recommended. If you use a self-signed certificate, end users will receive constant pop-up warnings indicating that the site is not secure and asking them to confirm that they wish to continue. In addition, the Mobile Agent absolutely require a certificate from a trusted CA. The Mobile Agent cannot communicate with FortiNAC when Self-signed certificates are used.

If you already have a certificate that you are using to secure your portal, you can import that certificate into the FortiNAC server configuration and use it for both the portal and agent/server communications.

If you do not have a certificate for your portal, generate a certificate request and purchase a certificate. When the certificate is returned, import that certificate into the FortiNAC server configuration and use it for both the portal and agent/server communications.

Persistent Agent, Dissolvable Agent, and the Mobile Agent require the use of a certificate.

The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC and will not communicate.

FortiNAC does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

For instructions on generating and installing SSL certificates, see the document entitled FortiNAC SSL Certificates How To.

DNS server configuration

If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard may cause communications issues.

Example:

Incorrect DNS suffix for reg: tech-reg.megatech.local

Correct DNS suffix for reg: tech.megatech-reg.edu

  • On upgrade to V6.0 or higher, SRV records indicating the port and FQDN of the FortiNAC appliance where the portal is located are automatically added to the domain.zone.* files for named. These files are created by the Configuration Wizard, which can also add the SRV records to the domain.zone.* files during the initial appliance configuration.
  • If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.
  • Any references to the FortiNAC server's FQDN in DNS must match the name in the certificate used to secure the portal.

    See DNS server configuration and Agent server discovery.

Server configuration

Note

If the time on FortiNAC is inaccurate and is updated after Agent Security is enabled, Agents may ignore packets received from the server until the agent is restarted because the new timestamp deviates significantly from previous timestamps.

Make sure that the server is configured to use NTP for time synchronization. Go to System > Settings > System Management > NTP and Time Zone to configure the NTP server. This is typically set during installation.

Host configuration

  • Host machines should not have the FQDN of the FortiNAC Server or Application Server in the hosts file on the hard drive. Typically network users would not have this information in their hosts file. However, administrator users may have the FQDN in their hosts file to accommodate accessing java applets. Modify the hosts file to use the short name, such as, qa233 instead of qa233.example.com. If a host has the FQDN in its hosts file, the Persistent Agent cannot communicate with the FortiNAC Server or Application Server and cannot register the host.
  • For Windows hosts, download and configure Administrative Templates for Group Policy Objects to update the registry on each host with values that pertain to agent security.
  • For macOS hosts, update Preferences to provide security values to the agent.

See Persistent Agent on Windows.