Fortinet white logo
Fortinet white logo

Administration Guide

Persistent Agent on Windows

Persistent Agent on Windows

To take advantage of the Agent Security feature some settings must be configured on the host. Settings for Windows hosts are configured in the registry. Settings for Mac OS X hosts are configured in Preferences.

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. These templates can be downloaded from the Agent Distribution view in FortiNAC. Customers can opt to edit registry settings on hosts using another tool.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server or another Windows system and then copy files to your server. Be sure to select the appropriate MSI for your architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install ADMX template

  1. In FortiNAC select Policy > Agent Distribution.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server or another Windows system with access to the Central Store or local PolicyDefinitions directory.
  4. On the Windows system, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard.
  6. Browse to Program Files\Bradford Networks\Administrative Templates\admx.
  7. Copy the Bradford Networks.admx and en-US directory to the PolicyDefinitions directory of your central store.
  8. Open the Group Policy Editor and navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  9. Browse to Computer Configuration > Administrative Templates > Bradford Networks.

Install GPO template

  1. In FortiNAC select Policy > Agent Distribution.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. At the end, the Microsoft Group Policy Management Console will be launched, if available.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
  9. Select Bradford Persistent Agent.adm and click Open.
  10. Click Close, and the administrative templates will be imported into the GPO.

Install an updated template

Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to update it. If you do have Balloon Notifications enabled, see Agent packages for instructions on installing an updated template.

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions above to install the new template.

Persistent Agent settings

The table below outlines settings that can be configured for the Persistent Agent.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Note

Refer to the Registry Keys section in Administrative templates for GPO for more information about the registry keys that correspond to the Persistent Agent settings.

Registry keys

The table below shows the host's registry keys that are not modified by the Group Policy Object. These keys can be set manually.

Key

Value

Data

Persistent Agent

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: 1

HKLM\Software\Bradford Networks\Client Security Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Bradford
Networks\Client Security Agent

For 64-bit operating systems see Note.

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

HKLM\Software\Bradford
Networks\Client Security Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKLM\Software\Bradford
Networks\Client Security Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKLM\Software\Bradford
Networks\Client Security Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

Agent 5.3 and greater: Security is always enabled.

HKLM\Software\Bradford
Networks\Client Security Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

HKLM\Software\Bradford
Networks\Client Security Agent

For 64-bit operating systems see Note.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

HKLM\Software\Bradford Networks\Client Security Agent

HKLM\Software\wow6432node

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1

Note

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node

Note

Disabling the tray icon via the registry requires the Persistent Agent.

Note

Individual User keys are required only when the user’s settings differ from those for a group of users. Typically, keys are set based on a group of users who have a common Policy using the HKLM\Software\Bradford Networks\Client Security Agent key shown in the table.

Persistent Agent on Windows

Persistent Agent on Windows

To take advantage of the Agent Security feature some settings must be configured on the host. Settings for Windows hosts are configured in the registry. Settings for Mac OS X hosts are configured in Preferences.

Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. These templates can be downloaded from the Agent Distribution view in FortiNAC. Customers can opt to edit registry settings on hosts using another tool.

Requirements:
  • Active Directory
  • Group Policy Objects
  • Template Files From
Templates:

The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server or another Windows system and then copy files to your server. Be sure to select the appropriate MSI for your architecture.

  • 32-bit (x86): Bradford Networks Administrative Templates.msi
  • 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi

Install ADMX template

  1. In FortiNAC select Policy > Agent Distribution.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server or another Windows system with access to the Central Store or local PolicyDefinitions directory.
  4. On the Windows system, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard.
  6. Browse to Program Files\Bradford Networks\Administrative Templates\admx.
  7. Copy the Bradford Networks.admx and en-US directory to the PolicyDefinitions directory of your central store.
  8. Open the Group Policy Editor and navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  9. Browse to Computer Configuration > Administrative Templates > Bradford Networks.

Install GPO template

  1. In FortiNAC select Policy > Agent Distribution.
  2. At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
  3. Copy the template file to the domain server.
  4. On the domain server, double-click the msi file to start the installation wizard.
  5. Click through the installation wizard. At the end, the Microsoft Group Policy Management Console will be launched, if available.
  6. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  7. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows the current templates pop-up.
  8. Click Add and browse to Program Files\Bradford Networks\Administrative Templates.
  9. Select Bradford Persistent Agent.adm and click Open.
  10. Click Close, and the administrative templates will be imported into the GPO.

Install an updated template

Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to update it. If you do have Balloon Notifications enabled, see Agent packages for instructions on installing an updated template.

  1. On your Windows server open the Group Policy Management Tool.
  2. Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
  3. Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
  4. Select the old template and click Remove. Follow the instructions above to install the new template.

Persistent Agent settings

The table below outlines settings that can be configured for the Persistent Agent.

Setting

Options

Allowed Ciphers and Authentication Schemes

Indicates the cipher and authentication schemes that can be used.

CA Trust Length/ Depth

Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority.

CA File path

The absolute path to a file containing root and intermediate CA certificates in PEM format.

Security

Indicates whether security is enabled or disabled.

Note: This option is no longer available with agent 5.3 and greater. Security is always enabled.

Home Server

The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP.

Allowed Servers

In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate.

Restrict Roaming

If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers.

If disabled, the agent searches for additional servers when the home server is unavailable.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

Last Connected Server

Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery.

Discover Servers, Priority, and Ports

Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer.

Note

Refer to the Registry Keys section in Administrative templates for GPO for more information about the registry keys that correspond to the Persistent Agent settings.

Registry keys

The table below shows the host's registry keys that are not modified by the Group Policy Object. These keys can be set manually.

Key

Value

Data

Persistent Agent

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

ClientStateEnabled

0: Do not show balloon notifications on status changes.

1: Show balloon notifications on status changes.

Data Type: DWORD

Default: 1

HKLM\Software\Bradford Networks\Client Security Agent

ShowIcon

0: Do not show the tray icon.

1: Show the tray icon.

Data Type: DWORD

Default: Not Configured

(Tray icon displayed)

HKLM\Software\Bradford
Networks\Client Security Agent

For 64-bit operating systems see Note.

allowedServers

Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com).

Data Type: String

Default: Empty

HKLM\Software\Bradford
Networks\Client Security Agent

homeServer

The fully qualified hostname of the default server with which the agent should communicate.

Data Type: String

Default: Empty

HKLM\Software\Bradford
Networks\Client Security Agent

restrictRoaming

0: Do not restrict roaming. Allow agent to communicate with any server.

1: Restrict roaming to the home server and the allowed servers list.

Data Type: Integer

Default: 0

HKLM\Software\Bradford
Networks\Client Security Agent

securityEnabled

0: Disable Agent Security.

1: Enable Agent Security

Data Type: Integer

Default: 1

Agent 5.3 and greater: Security is always enabled.

HKLM\Software\Bradford
Networks\Client Security Agent

ServerIP

The fully qualified hostname to which the agent should communicate.

Data Type: String

Default: ns8200

HKLM\Software\Bradford
Networks\Client Security Agent

For 64-bit operating systems see Note.

maxConnectInterval

The maximum number of seconds between attempts to connect to FortiNAC.

Data Type: Integer

Default: 960

HKLM\Software\Bradford Networks\Client Security Agent

For 64-bit operating systems see Note.

lastConnectedServer

The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server.

Data Type: String

Default: Empty

HKLM\Software\Bradford Networks\Client Security Agent

HKLM\Software\wow6432node

discoveryEnabled

Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well.

0: Disable Discovery.

1: Enable Discovery

Data Type: Integer

Default: 1

Note

On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node

Note

Disabling the tray icon via the registry requires the Persistent Agent.

Note

Individual User keys are required only when the user’s settings differ from those for a group of users. Typically, keys are set based on a group of users who have a common Policy using the HKLM\Software\Bradford Networks\Client Security Agent key shown in the table.