Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Agent server discovery

Agent server discovery is a mechanism used by different types of agents to determine the identity of the FortiNAC Server or Application Server to which the agent should connect. Some agents use SRV and TXT records contained within both FortiNAC's DNS server (for when agents are in isolation) and your production DNS server. The records used by the Agent for identifying and connecting to the FortiNAC server vary depending on the type of Agent used.

FortiNAC agents discover the FortiNAC Application Server to which they should connect in variety of ways. The discovery process for each agent is outlined in this section.

Note

The FortiNAC Application Server name used by the agent must match the server name in the certificate securing the appropriate certificate Target or the agent and the server will not be able to communicate. The certificate Target used is dependent upon the agent type. Refer to the discovery process below.

Persistent Agent

Persistent Agent v3.0 and higher determines the FortiNAC Application Server to which it should connect in several ways. If you have used the Administrative Templates distributed with FortiNAC and used Group Policy Objects to set registry entries on each host, then the Persistent Agent can use those entries to find the appropriate FortiNAC Application Server.

The Persistent Agent communicates on the following ports:

  • udp 4567
  • tcp 4568
  • tcp 80 (required for upgrades)

The discovery process is as follows:

  1. The Persistent Agent starts.
  2. The agent checks DNS for SRV records of _bradfordagent._udp.example.com and _bradfordagent._tcp.example.com.
  3. The agent looks at the host registry (Windows), preferences (macOS), or .conf (Linux).
  4. First it checks the entry for lastConnectedServer. If lastConnectedServer is set it adds the server to the top of the list.**
  5. Then it checks the entry for HomeServer. If HomeServer is set, it adds it to a list.
  6. Then the agent checks the entry for AllowedServers. This entry contains a list of additional servers to which the agent can connect. It adds each of these servers to the list.
  7. If SRV records are returned, the agent processes them in reverse priority order (highest value first). If homeServer is not already set, the name contained in the SRV response is written to the host registry HKLM\Software\Bradford Networks\Client Security Agent (Windows) or preferences (macOS, Linux).*
  8. For each SRV record:
    1. If the name is not already in the list, and restrictRoaming is disabled, the agent adds the name to the top of the list and to the lastConnectedServer value.**
    2. Otherwise, if the name is already in the list, the agent moves the name to the top of the list.
  9. Now that the list of servers is complete, the agent tries to connect to each server over SSL/TLS until it successfully connects to one. Unless security is disabled on the agent, this is done over SSL/TLS (requires valid certificate installed for the Persistent Agent certificate Target).
  10. Once the agent has successfully connected to a server, that server will be set to the lastConnectedServer value, and moved to the top of the list.**
  11. Once a server has been added to the lastConnectedServer, if restrictRoaming is enabled, it will remain at the top of the list until that server is no longer reachable by the agent. At that point the list will be parsed until the agent connects to a server and then that server will be moved to lastConnectedServer and to the top of the list.**

*registry/preferences settings remain until one of the following occurs:

  • Entry is manually changed.
  • Agent is uninstalled.
  • Agent is updated.

If the agent cannot be configured through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.

Mobile Agent

The Mobile Agent determines the FortiNAC Application Server to which it should connect by checking DNS as follows:

  1. The Mobile Agent starts.
  2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
  3. It checks the SRV record for that service type for the server to which it should connect.
  4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal certificate Target).
  5. For Mobile Agent 3.1 or higher, if for any reason it cannot connect to the FortiNAC Application Server, a request for the appropriate URL is presented to the user. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.

Passive Agent

The Passive Agent determines the FortiNAC Application Server to which it should connect by checking the host registry.

  1. The network user logs onto the network.
  2. The login triggers a script that is served from a corporate server on the network.
  3. The script checks the registry entry ServerURL for the list of servers to which it can connect.
  4. It tries the servers in order until it connects to one.

Dissolvable Agent

The Dissolvable Agent determines the FortiNAC Application Server to which it should connect by checking DNS as follows:

  1. The Dissolvable Agent starts.
  2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
  3. It checks the SRV record for that service type for the server to which it should connect.
  4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal certificate Target).
  5. If for any reason it cannot connect to the FortiNAC Application Server, a request for the appropriate URL is presented to the user. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.

Agent server discovery

Agent server discovery is a mechanism used by different types of agents to determine the identity of the FortiNAC Server or Application Server to which the agent should connect. Some agents use SRV and TXT records contained within both FortiNAC's DNS server (for when agents are in isolation) and your production DNS server. The records used by the Agent for identifying and connecting to the FortiNAC server vary depending on the type of Agent used.

FortiNAC agents discover the FortiNAC Application Server to which they should connect in variety of ways. The discovery process for each agent is outlined in this section.

Note

The FortiNAC Application Server name used by the agent must match the server name in the certificate securing the appropriate certificate Target or the agent and the server will not be able to communicate. The certificate Target used is dependent upon the agent type. Refer to the discovery process below.

Persistent Agent

Persistent Agent v3.0 and higher determines the FortiNAC Application Server to which it should connect in several ways. If you have used the Administrative Templates distributed with FortiNAC and used Group Policy Objects to set registry entries on each host, then the Persistent Agent can use those entries to find the appropriate FortiNAC Application Server.

The Persistent Agent communicates on the following ports:

  • udp 4567
  • tcp 4568
  • tcp 80 (required for upgrades)

The discovery process is as follows:

  1. The Persistent Agent starts.
  2. The agent checks DNS for SRV records of _bradfordagent._udp.example.com and _bradfordagent._tcp.example.com.
  3. The agent looks at the host registry (Windows), preferences (macOS), or .conf (Linux).
  4. First it checks the entry for lastConnectedServer. If lastConnectedServer is set it adds the server to the top of the list.**
  5. Then it checks the entry for HomeServer. If HomeServer is set, it adds it to a list.
  6. Then the agent checks the entry for AllowedServers. This entry contains a list of additional servers to which the agent can connect. It adds each of these servers to the list.
  7. If SRV records are returned, the agent processes them in reverse priority order (highest value first). If homeServer is not already set, the name contained in the SRV response is written to the host registry HKLM\Software\Bradford Networks\Client Security Agent (Windows) or preferences (macOS, Linux).*
  8. For each SRV record:
    1. If the name is not already in the list, and restrictRoaming is disabled, the agent adds the name to the top of the list and to the lastConnectedServer value.**
    2. Otherwise, if the name is already in the list, the agent moves the name to the top of the list.
  9. Now that the list of servers is complete, the agent tries to connect to each server over SSL/TLS until it successfully connects to one. Unless security is disabled on the agent, this is done over SSL/TLS (requires valid certificate installed for the Persistent Agent certificate Target).
  10. Once the agent has successfully connected to a server, that server will be set to the lastConnectedServer value, and moved to the top of the list.**
  11. Once a server has been added to the lastConnectedServer, if restrictRoaming is enabled, it will remain at the top of the list until that server is no longer reachable by the agent. At that point the list will be parsed until the agent connects to a server and then that server will be moved to lastConnectedServer and to the top of the list.**

*registry/preferences settings remain until one of the following occurs:

  • Entry is manually changed.
  • Agent is uninstalled.
  • Agent is updated.

If the agent cannot be configured through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.

Mobile Agent

The Mobile Agent determines the FortiNAC Application Server to which it should connect by checking DNS as follows:

  1. The Mobile Agent starts.
  2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
  3. It checks the SRV record for that service type for the server to which it should connect.
  4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal certificate Target).
  5. For Mobile Agent 3.1 or higher, if for any reason it cannot connect to the FortiNAC Application Server, a request for the appropriate URL is presented to the user. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.

Passive Agent

The Passive Agent determines the FortiNAC Application Server to which it should connect by checking the host registry.

  1. The network user logs onto the network.
  2. The login triggers a script that is served from a corporate server on the network.
  3. The script checks the registry entry ServerURL for the list of servers to which it can connect.
  4. It tries the servers in order until it connects to one.

Dissolvable Agent

The Dissolvable Agent determines the FortiNAC Application Server to which it should connect by checking DNS as follows:

  1. The Dissolvable Agent starts.
  2. It checks DNS and is directed to a service type _networksentry.tcp called AgentConfig.
  3. It checks the SRV record for that service type for the server to which it should connect.
  4. It connects to the FortiNAC Application Server over SSL/TLS (requires valid certificate installed for the Portal certificate Target).
  5. If for any reason it cannot connect to the FortiNAC Application Server, a request for the appropriate URL is presented to the user. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.