Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Persistent Agent Deployment and Configuration

    Home FortiNAC 9.2.0 Persistent Agent Deployment and Configuration
    9.2.0
    9.4.0
    9.2.0
    9.1.0
    8.8.0
    8.7.0
    8.6.0
    8.5.0
    8.3.0

    Appendix

    Appendix

    Persistent Agent Server Discovery Process

    The Persistent Agent communicates on the following ports:

    • Agent 3.x and 4.x: TCP 4568 and UDP 4567

    • Agent 5.x and later with NAC 8.1 and lower: TCP 4568 and UDP 4567

    • Agent 5.x and later with NAC 8.2 and later: TCP 4568 only

    • All versions: TCP 80 (required for upgrades)

    Discovery using SRV lookups (steps 2, 7 & 8) can be disabled in agent versions 5.3 and greater.

    The discovery process is as follows:

    1. The Persistent Agent starts.

    2. The agent checks DNS for SRV records of _bradfordagent._udp.example.com

      and _bradfordagent._tcp.example.com.

    3. The agent looks at the host registry (Windows) or preferences (OS X), or .conf (Linux).

    4. First it checks the entry for lastConnectedServer. If lastConnectedServer is set, it adds the server to the top of the list.**

    5. Then it checks the entry for HomeServer. If HomeServer is set, it adds it to a list.

    6. Then the agent checks the entry for AllowedServers. This entry contains a list of additional servers to which the agent can connect. It adds each of these servers to the list.

    7. If SRV records are returned, the agent processes them in reverse priority order (highest value first). If homeServer is not already set, the name contained in the SRV response is written to the host registry HKLM\Software\Bradford Networks\Client Security Agent (Windows) or preferences (OS X, Linux).*

    8. For each SRV record:

      1. If the name is not already in the list, and restrictRoaming is disabled, the agent adds the name to the top of the list and to the lastConnectedServer value.

      2. Otherwise, if the name is already in the list, the agent moves the name to the top of the list.

    9. Now that the list of servers is complete, the agent tries to connect to each server over SSL/TLS until it successfully connects to one. Unless security is disabled on the agent, this is done over SSL/TLS (requires valid certificate installed for the Persistent Agent Certificate Target).

    10. Once the agent has successfully connected to a server, that server will be set to the lastConnectedServer value, and moved to the top of the list.**

    11. Once a server has been added to the lastConnectedServer, if restrictRoaming is enabled, it will remain at the top of the list until that server is no longer reachable by the agent. At that point the list will be parsed until the agent connects to a server and then that server will be moved to lastConnectedServer and to the top of the list.**

    *Registry/preferences settings remain until one of the following occurs:

    • Entry is manually changed.

    • Agent is uninstalled.

    • Agent is updated.

    **Requires Agent Version 4.1.4 and higher.

    Note: If the agent cannot be configured through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.

    Previous
    Next

    Appendix

    Appendix

    Persistent Agent Server Discovery Process

    The Persistent Agent communicates on the following ports:

    • Agent 3.x and 4.x: TCP 4568 and UDP 4567

    • Agent 5.x and later with NAC 8.1 and lower: TCP 4568 and UDP 4567

    • Agent 5.x and later with NAC 8.2 and later: TCP 4568 only

    • All versions: TCP 80 (required for upgrades)

    Discovery using SRV lookups (steps 2, 7 & 8) can be disabled in agent versions 5.3 and greater.

    The discovery process is as follows:

    1. The Persistent Agent starts.

    2. The agent checks DNS for SRV records of _bradfordagent._udp.example.com

      and _bradfordagent._tcp.example.com.

    3. The agent looks at the host registry (Windows) or preferences (OS X), or .conf (Linux).

    4. First it checks the entry for lastConnectedServer. If lastConnectedServer is set, it adds the server to the top of the list.**

    5. Then it checks the entry for HomeServer. If HomeServer is set, it adds it to a list.

    6. Then the agent checks the entry for AllowedServers. This entry contains a list of additional servers to which the agent can connect. It adds each of these servers to the list.

    7. If SRV records are returned, the agent processes them in reverse priority order (highest value first). If homeServer is not already set, the name contained in the SRV response is written to the host registry HKLM\Software\Bradford Networks\Client Security Agent (Windows) or preferences (OS X, Linux).*

    8. For each SRV record:

      1. If the name is not already in the list, and restrictRoaming is disabled, the agent adds the name to the top of the list and to the lastConnectedServer value.

      2. Otherwise, if the name is already in the list, the agent moves the name to the top of the list.

    9. Now that the list of servers is complete, the agent tries to connect to each server over SSL/TLS until it successfully connects to one. Unless security is disabled on the agent, this is done over SSL/TLS (requires valid certificate installed for the Persistent Agent Certificate Target).

    10. Once the agent has successfully connected to a server, that server will be set to the lastConnectedServer value, and moved to the top of the list.**

    11. Once a server has been added to the lastConnectedServer, if restrictRoaming is enabled, it will remain at the top of the list until that server is no longer reachable by the agent. At that point the list will be parsed until the agent connects to a server and then that server will be moved to lastConnectedServer and to the top of the list.**

    *Registry/preferences settings remain until one of the following occurs:

    • Entry is manually changed.

    • Agent is uninstalled.

    • Agent is updated.

    **Requires Agent Version 4.1.4 and higher.

    Note: If the agent cannot be configured through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC server with which they should communicate.

    Previous
    Next