Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Agent packages

The Agent packages view displays a list of the Dissolvable Agent, Persistent Agent, Passive Agent, and Mobile Agent versions available on your FortiNAC appliance. This view allows you to download new agents and add them to FortiNAC as they become available from Fortinet.

Both the Dissolvable Agent and Persistent Agents can be supplied to hosts automatically by FortiNAC through the captive portal when the host reaches the appropriate web page. The agent presented to the host is based on the configuration of the endpoint compliance policy applied to that host. Supplying the Passive Agent requires additional configuration. See Passive Agent.

Hosts who already have a version of the Persistent Agent installed can be automatically updated to a newer version of the agent based on the settings you enter on the Agent Update tab. See Upgrade the Persistent Agent.

You also have the option to download a Persistent Agent from the list to your own computer to be distributed to hosts through your web site, using a login script or some other distribution method. Files are saved on your computer in the default download location. This location varies depending on the browser you are using.

The Windows Persistent Agent is available in two formats: .msi and .exe. The .msi file is recommended for use in a managed install by non-user-interactive means. The .exe file is recommended for user-interactive installation. The Linux Persistent Agent is also available in two formats: .deb or .rpm. The macOS Persistent Agent is available in .dmg format.

If you choose to distribute the agent using Group Policy Objects, you must download and install administrative templates on your Windows server. Use the links at the top of the Agent Distribution view to download the templates.

Select Delete to remove old Agent packages from your server.

Settings

Field

Definition

Package

Name of the .jar file containing the agents and supporting files.

Agent Version

Version number of the agent.

Name

Name of the type of agent. Agents include:

  • Mobile Agent
  • Dissolvable Agent
  • Persistent Agent
  • Passive Agent

Operating System

Operating system on which the agent can run.

File

File name and type, such as .exe or .bin.

Size

Download size of the agent file in KiB.

Delete

Allows you to delete old agent packages from the FortiNAC server.

Download agent packages

Status

Indicates whether there are new agent packages available for download from Fortinet. Status messages include:

  • Up to Date
  • New Agent Packages Available

Download

Launches the Agent Download dialog allowing you to select new agent packages to be added to your FortiNAC server.

Download new agent packages

New Agent packages are placed on the Fortinet update server when they become available. Agent packages contain all of the available FortiNAC agents and agent related files. The Mobile Agent can be downloaded from the captive portal if the device allows downloads from unknown sources, otherwise it is distributed through Google Play. However, there are supporting files for the Mobile Agent in the agent package. For any agent update you must download and install the latest agent package.

Download settings must be configured correctly in order to download agent packages. See System update for more information.

  1. Click System > Settings.
  2. Expand the Updates folder.
  3. Select Agent Packages from the tree.
  4. Scroll to the bottom of the page. When new agents are available, the message New Agent Packages Available is displayed next to Download. Select Download to display a list of available agent packages.
  5. Click the Download link next to an agent package to initiate the download. A progress page is displayed until the download is complete.
  6. Click Close to return to the Agent Packages view.

Download the Persistent Agent for custom distribution

Follow the steps below to download a Persistent Agent from your FortiNAC appliance to your local computer.

  1. Click System > Settings.
  2. Expand the Updates folder.
  3. Select Agent Packages from the tree.

    Note

    The Dissolvable Agent, Persistent Agent, and Passive Agent packages are included in the list, but only the Persistent Agent and Passive Agent packages may be downloaded through this view. The links appear in blue.

  4. Locate the agent you wish to download. Click on the name of the agent file in blue text in the File column of the table.
  5. The file is typically saved to the default download location. This is controlled by your browser.
  6. Distribute the file via the Desktop Management software of your choice. It is recommended that you visit our web site for additional information on deploying the Persistent Agent outside of FortiNAC.

Download and configure administrative templates for GPO

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC Application Server with which the agent will communicate. There are also per-computer and per-user templates to enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does not affect the Server IP and is not required.

FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS computers using Group Policy Object editor. The modifications shown in the tables below can be made in the Preferences file on macOS hosts, using the tool of your choice.

Note

The Persistent Agent running on a macOS computer can determine the server to which it should connect via DNS server records it does not require changes to Preferences.

If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon credentials.

Security is enabled by default. It is recommended that you update to the latest template files and configure the templates for the new security settings.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From Fortinet
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server . Be sure to select the appropriate MSI for your Windows server architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi
Install the templates for GPO
  1. In FortiNAC select System > Settings > Updates > Agent Packages.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management Console is required to complete the installation. Refer to the Windows Server documentation for details.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
    1. To use the Persistent Agent, select FortiNAC Persistent Agent.adm and click Open.
    2. To use the Passive Agent, select FortiNAC Passive Agent.adm and click Open.
  9. Click Close, and the Administrative Templates will be imported into the GPO.
Install an updated template when balloon notifications are configured

If you have never configured Balloon Notifications, go to the section of this document labeled Install An Updated Template.

If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon Notifications and push the settings to your clients. When your clients have all been updated, then the new template can be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications, removing the previous configuration before installing the new one ensures that the keys will be set correctly.

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. In FortiNAC, navigate to System > Settings > Persistent Agent Properties.
  2. Select Security Management and make sure that Display Notifications is disabled. When you have uploaded and configured the new template, come back to this view and restore the Display Notifications option to its original state.
  3. Log into your Windows Server.
  4. On your Windows server open the Group Policy Management Tool.
  5. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  6. Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
  7. In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
  8. On the Setting tab in the Properties window select Not Configured and click OK.
  9. When all of your clients have received the updated settings, the new template can be installed.
  10. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  11. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  12. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section shown above to install the new template.
Install an updated template

Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to update it. If you do have Balloon Notifications enabled, go to the previous section for instructions.

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section shown above to install the new template.
Modify settings

See the table below for settings which can be configured using the Administrative Templates provided.

Settings

Option

Definition

Persistent Agent template

Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Balloon Notifications

Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is not required for configuring Server IP information. Options include:

  • Enabled: Forces balloon notifications for host state changes to be enabled on the host.
  • Disabled: Forces balloon notifications for host state changes to be disabled on the host.
  • Not Configured: Use the non-policy setting (Enabled).

Login Dialog

Enables or Disables the login dialog on a per-host or per-user basis. This setting is not required for configuring Server IP information. See Using Windows domain logon credentials for further instructions. Options include:

  • Enabled: The login dialog is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The login dialog is disabled. The agent will never prompt the user for credentials. This is useful in certain Single-sign-on configurations.
  • Not Configured: The login dialog is enabled, unless overridden by a per-user configuration.

System Tray Icon

Enables or Disables the system tray icon on a per-host or per-user basis. This setting is not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or higher). Options include:

  • Enabled: The system tray icon is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The system tray icon is disabled. Disabling the system tray icon also disables the following functionality: Status Notifications (Show Network Access Status, Login, Logout), Message Logs and the About dialog.
  • Not Configured: The system tray icon is enabled, unless overridden by a per-user configuration.

Max Connection Interval

The maximum number of seconds between attempts to connect to FortiNAC.

Persistent Agent security settings

Security Mode

Indicates whether security is enabled or disabled.

Home Server

Server with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this servers is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Limit Connections To Servers

  • Enabled: Agent communicates only with its Home Server and servers listed under Allowed Servers list displayed.
  • Disabled: Agent searches for additional servers when the home server is unavailable.
  • Allowed Servers List: In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Servers or FortiNAC Servers with which the agent can communicate.

Passive Agent template

Passive Agent

Server URL List: Comma separated list of URLs (HTTP(s)://<server_name>/<context> formatted) for the FortiNAC servers that hosts running an agent should contact. Hosts must be able to reach all of the URLs in order to run properly.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Registry keys

The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows registry editor on the endstation):

HKLM\Software\Bradford Networks\Client Security Agent

When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon the values pushed):

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

Note

When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client Security Agent will remain the same, but any settings altered via the software push will override those listed in the original key.

Note

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node.

Key

Value

Data

Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: Not Configured

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes. Data Type: DWORD

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

allowedServers

Comma-separated list of fully qualified hostnames with which the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

Passive Agent

HKEY_USERS\{SID}\Software\
Policies\Bradford Networks
\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

HKLM\Software\Policies\Bradford Networks\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Deploy the Passive Agent
  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit.
  3. Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
  4. Click User Configuration > Policies >Windows > Settings Scripts (Logon/Logoff) to display the Logon and Logoff script configurations.
  5. Double click Logon for Logon Properties.
  6. Click Add and then browse to the location of FortiNAC_Passive_Agent.exe.
  7. Select FortiNAC_Passive_Agent.exe to add it to the Script Name field.
  8. Enter -logon in the Script Parameters field.
  9. Click OK.

To ensure the user is logged off the host upon logging out, do the following:

  1. Follow steps 1-4, and then double-click Logoff.
  2. Add FortiNAC_Passive_Agent.exe to to the Script Name field, and then enter -logoff in the Script Parameter field.
  3. Click OK.

Agent packages

The Agent packages view displays a list of the Dissolvable Agent, Persistent Agent, Passive Agent, and Mobile Agent versions available on your FortiNAC appliance. This view allows you to download new agents and add them to FortiNAC as they become available from Fortinet.

Both the Dissolvable Agent and Persistent Agents can be supplied to hosts automatically by FortiNAC through the captive portal when the host reaches the appropriate web page. The agent presented to the host is based on the configuration of the endpoint compliance policy applied to that host. Supplying the Passive Agent requires additional configuration. See Passive Agent.

Hosts who already have a version of the Persistent Agent installed can be automatically updated to a newer version of the agent based on the settings you enter on the Agent Update tab. See Upgrade the Persistent Agent.

You also have the option to download a Persistent Agent from the list to your own computer to be distributed to hosts through your web site, using a login script or some other distribution method. Files are saved on your computer in the default download location. This location varies depending on the browser you are using.

The Windows Persistent Agent is available in two formats: .msi and .exe. The .msi file is recommended for use in a managed install by non-user-interactive means. The .exe file is recommended for user-interactive installation. The Linux Persistent Agent is also available in two formats: .deb or .rpm. The macOS Persistent Agent is available in .dmg format.

If you choose to distribute the agent using Group Policy Objects, you must download and install administrative templates on your Windows server. Use the links at the top of the Agent Distribution view to download the templates.

Select Delete to remove old Agent packages from your server.

Settings

Field

Definition

Package

Name of the .jar file containing the agents and supporting files.

Agent Version

Version number of the agent.

Name

Name of the type of agent. Agents include:

  • Mobile Agent
  • Dissolvable Agent
  • Persistent Agent
  • Passive Agent

Operating System

Operating system on which the agent can run.

File

File name and type, such as .exe or .bin.

Size

Download size of the agent file in KiB.

Delete

Allows you to delete old agent packages from the FortiNAC server.

Download agent packages

Status

Indicates whether there are new agent packages available for download from Fortinet. Status messages include:

  • Up to Date
  • New Agent Packages Available

Download

Launches the Agent Download dialog allowing you to select new agent packages to be added to your FortiNAC server.

Download new agent packages

New Agent packages are placed on the Fortinet update server when they become available. Agent packages contain all of the available FortiNAC agents and agent related files. The Mobile Agent can be downloaded from the captive portal if the device allows downloads from unknown sources, otherwise it is distributed through Google Play. However, there are supporting files for the Mobile Agent in the agent package. For any agent update you must download and install the latest agent package.

Download settings must be configured correctly in order to download agent packages. See System update for more information.

  1. Click System > Settings.
  2. Expand the Updates folder.
  3. Select Agent Packages from the tree.
  4. Scroll to the bottom of the page. When new agents are available, the message New Agent Packages Available is displayed next to Download. Select Download to display a list of available agent packages.
  5. Click the Download link next to an agent package to initiate the download. A progress page is displayed until the download is complete.
  6. Click Close to return to the Agent Packages view.

Download the Persistent Agent for custom distribution

Follow the steps below to download a Persistent Agent from your FortiNAC appliance to your local computer.

  1. Click System > Settings.
  2. Expand the Updates folder.
  3. Select Agent Packages from the tree.

    Note

    The Dissolvable Agent, Persistent Agent, and Passive Agent packages are included in the list, but only the Persistent Agent and Passive Agent packages may be downloaded through this view. The links appear in blue.

  4. Locate the agent you wish to download. Click on the name of the agent file in blue text in the File column of the table.
  5. The file is typically saved to the default download location. This is controlled by your browser.
  6. Distribute the file via the Desktop Management software of your choice. It is recommended that you visit our web site for additional information on deploying the Persistent Agent outside of FortiNAC.

Download and configure administrative templates for GPO

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC Application Server with which the agent will communicate. There are also per-computer and per-user templates to enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does not affect the Server IP and is not required.

FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS computers using Group Policy Object editor. The modifications shown in the tables below can be made in the Preferences file on macOS hosts, using the tool of your choice.

Note

The Persistent Agent running on a macOS computer can determine the server to which it should connect via DNS server records it does not require changes to Preferences.

If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon credentials.

Security is enabled by default. It is recommended that you update to the latest template files and configure the templates for the new security settings.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From Fortinet
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server . Be sure to select the appropriate MSI for your Windows server architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi
Install the templates for GPO
  1. In FortiNAC select System > Settings > Updates > Agent Packages.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management Console is required to complete the installation. Refer to the Windows Server documentation for details.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
    1. To use the Persistent Agent, select FortiNAC Persistent Agent.adm and click Open.
    2. To use the Passive Agent, select FortiNAC Passive Agent.adm and click Open.
  9. Click Close, and the Administrative Templates will be imported into the GPO.
Install an updated template when balloon notifications are configured

If you have never configured Balloon Notifications, go to the section of this document labeled Install An Updated Template.

If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon Notifications and push the settings to your clients. When your clients have all been updated, then the new template can be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications, removing the previous configuration before installing the new one ensures that the keys will be set correctly.

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. In FortiNAC, navigate to System > Settings > Persistent Agent Properties.
  2. Select Security Management and make sure that Display Notifications is disabled. When you have uploaded and configured the new template, come back to this view and restore the Display Notifications option to its original state.
  3. Log into your Windows Server.
  4. On your Windows server open the Group Policy Management Tool.
  5. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  6. Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
  7. In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
  8. On the Setting tab in the Properties window select Not Configured and click OK.
  9. When all of your clients have received the updated settings, the new template can be installed.
  10. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  11. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  12. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section shown above to install the new template.
Install an updated template

Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to update it. If you do have Balloon Notifications enabled, go to the previous section for instructions.

Note

Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions in the Install The Templates For GPO section shown above to install the new template.
Modify settings

See the table below for settings which can be configured using the Administrative Templates provided.

Settings

Option

Definition

Persistent Agent template

Host Name

Fully qualified host name of the FortiNAC Application Server or the FortiNAC Server if you are not using a pair. It is pushed out to the connecting host(s) to ensure that the Persistent Agent is communicating with the correct host in a distributed environment.

Balloon Notifications

Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is not required for configuring Server IP information. Options include:

  • Enabled: Forces balloon notifications for host state changes to be enabled on the host.
  • Disabled: Forces balloon notifications for host state changes to be disabled on the host.
  • Not Configured: Use the non-policy setting (Enabled).

Login Dialog

Enables or Disables the login dialog on a per-host or per-user basis. This setting is not required for configuring Server IP information. See Using Windows domain logon credentials for further instructions. Options include:

  • Enabled: The login dialog is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The login dialog is disabled. The agent will never prompt the user for credentials. This is useful in certain Single-sign-on configurations.
  • Not Configured: The login dialog is enabled, unless overridden by a per-user configuration.

System Tray Icon

Enables or Disables the system tray icon on a per-host or per-user basis. This setting is not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or higher). Options include:

  • Enabled: The system tray icon is enabled. This can be used per-user to override a per-host setting of Disabled.
  • Disabled: The system tray icon is disabled. Disabling the system tray icon also disables the following functionality: Status Notifications (Show Network Access Status, Login, Logout), Message Logs and the About dialog.
  • Not Configured: The system tray icon is enabled, unless overridden by a per-user configuration.

Max Connection Interval

The maximum number of seconds between attempts to connect to FortiNAC.

Persistent Agent security settings

Security Mode

Indicates whether security is enabled or disabled.

Home Server

Server with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this servers is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Limit Connections To Servers

  • Enabled: Agent communicates only with its Home Server and servers listed under Allowed Servers list displayed.
  • Disabled: Agent searches for additional servers when the home server is unavailable.
  • Allowed Servers List: In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Servers or FortiNAC Servers with which the agent can communicate.

Passive Agent template

Passive Agent

Server URL List: Comma separated list of URLs (HTTP(s)://<server_name>/<context> formatted) for the FortiNAC servers that hosts running an agent should contact. Hosts must be able to reach all of the URLs in order to run properly.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Registry keys

The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.

Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows registry editor on the endstation):

HKLM\Software\Bradford Networks\Client Security Agent

When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon the values pushed):

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

Note

When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client Security Agent will remain the same, but any settings altered via the software push will override those listed in the original key.

Note

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node.

Key

Value

Data

Persistent Agent

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: Not Configured

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes. Data Type: DWORD

Default: Not Configured

HKLM\Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

LoginDialogDisabled

0: Enable Login Dialog.

1: Disable Login Dialog.

Data Type: DWORD

Default: Not Configured

(Login Dialog displayed)

HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Policies\Bradford Networks\Persistent Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Bradford Networks\Persistent Agent

allowedServers

Comma-separated list of fully qualified hostnames with which the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

Passive Agent

HKEY_USERS\{SID}\Software\
Policies\Bradford Networks
\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

HKLM\Software\Policies\Bradford Networks\PASSIVE

ServerURL

Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact.

Example:

http://qa228/registration

The context portion of the Server URL is the area of the captive portal the agents should contact, such as, registration, remediation, or authentication.

Deploy the Passive Agent
  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit.
  3. Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
  4. Click User Configuration > Policies >Windows > Settings Scripts (Logon/Logoff) to display the Logon and Logoff script configurations.
  5. Double click Logon for Logon Properties.
  6. Click Add and then browse to the location of FortiNAC_Passive_Agent.exe.
  7. Select FortiNAC_Passive_Agent.exe to add it to the Script Name field.
  8. Enter -logon in the Script Parameters field.
  9. Click OK.

To ensure the user is logged off the host upon logging out, do the following:

  1. Follow steps 1-4, and then double-click Logoff.
  2. Add FortiNAC_Passive_Agent.exe to to the Script Name field, and then enter -logoff in the Script Parameter field.
  3. Click OK.