Fortinet white logo
Fortinet white logo

Administration Guide

Dissolvable Agent

Dissolvable Agent

The Dissolvable Agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC. The agent scans them for compliance with an endpoint compliance policy. This agent is downloaded and installed on the host until the host passes the scan. The agent then removes itself.

In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.

Setup requirements and options
  • Make sure the latest Dissolvable Agent package is installed on the FortiNAC server.
  • The Dissolvable Agent can be downloaded and installed by the user through the captive portal. The portal itself can be modified and personalized. Dissolvable Agent also has some settings in the portal under Agent > Dissolvable. See Portal configuration.
  • If you are using the Dissolvable Agent, the FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a CA. A self-signed certificate cannot be used.
  • Dissolvable Agent discovers the server to which it should connect using DNS SRV records. If for any reason, it cannot discover the server, the user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection. Depending on your configuration you may need to supply this information to users running the Dissolvable Agent.

Using the Dissolvable Agent

Note

The Persistent Agent only works with the FortiNAC Control Server and FortiNAC Application Server pair or the FortiNAC Server. If the FortiNAC Control Server is not paired with the FortiNAC Application Server, the Dissolvable Agent must be used.

If you have chosen to use the Dissolvable Agent to scan Windows or macOS systems, the Dissolvable Agent is downloaded to the host. Once the Dissolvable Agent runs and the host has successfully passed the scan, the agent is removed from the host.

In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.

Registration

When an unknown host connects to the network and attempts to access the Internet, an entry in the DNS server redirects the host to the Login page for registration.

During registration FortiNAC determines which endpoint compliance policy should be applied to this host based on the user/host profile that the connecting user and host match.

Endpoint compliance policies contain a series of requirements for hosts that want to access the network. Endpoint compliance policies contain scans that are configured by the Administrator and are run by the Agent. Policy requirements can include scans for specific antivirus, operating system version and custom scans. Custom scans are created by the Administrator. These allow the administrator to scan for the existence of things such as, a specific file, a registry entry, an installer package, a specific process or a domain.

The endpoint compliance policy determines which agent is made available to the user for download, such as Dissolvable Agent or Persistent Agent.

Hosts connecting to the network will go through the process outlined below:

  1. User connects to the network and is placed in registration. The registration web page is displayed.
  2. User downloads the Dissolvable Agent to the default downloads location for the operating system.
  3. Run the downloaded file and install it on the device.
  4. After the Dissolvable Agent is installed, run the program. An Agent window is displayed and remains on the screen until the user closes it.
  5. The Dissolvable Agent uses the DNS SRV records to locate the appropriate FortiNAC server.
  6. If the Dissolvable Agent cannot locate the server, a message is displayed asking for the URL of the server. The user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.
  7. The Agent window displays the results of the scan.

  8. If the host fails scan, Rescan is displayed allowing the user to Rescan after correcting any issues.
  9. When the host passes the scan, the user closes the Agent window and the Dissolvable Agent dissolves.

Dissolvable Agent

Dissolvable Agent

The Dissolvable Agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC. The agent scans them for compliance with an endpoint compliance policy. This agent is downloaded and installed on the host until the host passes the scan. The agent then removes itself.

In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.

Setup requirements and options
  • Make sure the latest Dissolvable Agent package is installed on the FortiNAC server.
  • The Dissolvable Agent can be downloaded and installed by the user through the captive portal. The portal itself can be modified and personalized. Dissolvable Agent also has some settings in the portal under Agent > Dissolvable. See Portal configuration.
  • If you are using the Dissolvable Agent, the FortiNAC appliance must be configured with SSL and must have a valid third party SSL certificate from a CA. A self-signed certificate cannot be used.
  • Dissolvable Agent discovers the server to which it should connect using DNS SRV records. If for any reason, it cannot discover the server, the user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection. Depending on your configuration you may need to supply this information to users running the Dissolvable Agent.

Using the Dissolvable Agent

Note

The Persistent Agent only works with the FortiNAC Control Server and FortiNAC Application Server pair or the FortiNAC Server. If the FortiNAC Control Server is not paired with the FortiNAC Application Server, the Dissolvable Agent must be used.

If you have chosen to use the Dissolvable Agent to scan Windows or macOS systems, the Dissolvable Agent is downloaded to the host. Once the Dissolvable Agent runs and the host has successfully passed the scan, the agent is removed from the host.

In a Windows environment, there are some operations that the Dissolvable Agent cannot perform unless the user has administrator privileges on the PC, such as, release and renew the IP address on the PC.

Registration

When an unknown host connects to the network and attempts to access the Internet, an entry in the DNS server redirects the host to the Login page for registration.

During registration FortiNAC determines which endpoint compliance policy should be applied to this host based on the user/host profile that the connecting user and host match.

Endpoint compliance policies contain a series of requirements for hosts that want to access the network. Endpoint compliance policies contain scans that are configured by the Administrator and are run by the Agent. Policy requirements can include scans for specific antivirus, operating system version and custom scans. Custom scans are created by the Administrator. These allow the administrator to scan for the existence of things such as, a specific file, a registry entry, an installer package, a specific process or a domain.

The endpoint compliance policy determines which agent is made available to the user for download, such as Dissolvable Agent or Persistent Agent.

Hosts connecting to the network will go through the process outlined below:

  1. User connects to the network and is placed in registration. The registration web page is displayed.
  2. User downloads the Dissolvable Agent to the default downloads location for the operating system.
  3. Run the downloaded file and install it on the device.
  4. After the Dissolvable Agent is installed, run the program. An Agent window is displayed and remains on the screen until the user closes it.
  5. The Dissolvable Agent uses the DNS SRV records to locate the appropriate FortiNAC server.
  6. If the Dissolvable Agent cannot locate the server, a message is displayed asking for the URL of the server. The user is presented with an option to enter either the URL or the FQDN of the server. The URL field will accept an HTTPS address, the FQDN of the server which it uses to create an HTTPS address or an HTTP address. If an HTTP address is used, a warning is displayed asking the user to confirm that they wish to access the server over an insecure connection.
  7. The Agent window displays the results of the scan.

  8. If the host fails scan, Rescan is displayed allowing the user to Rescan after correcting any issues.
  9. When the host passes the scan, the user closes the Agent window and the Dissolvable Agent dissolves.