Persistent Agent on Windows
To take advantage of the Agent Security feature some settings must be configured on the host. Settings for Windows hosts are configured in the registry. Settings for Mac OS X hosts are configured in Preferences.
Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. These templates can be downloaded from the Agent Distribution view in FortiNAC. Customers can opt to edit registry settings on hosts using another tool.
Requirements:
- Active Directory
- Group Policy Objects
- Template Files From
Templates:
The templates listed below is provided by Fortinet. You must run the installation program for the templates on your Windows server or another Windows system and then copy files to your server.
Bradford Networks Administrative Templates-x64.msi
Install ADMX template
-
In FortiNAC select System > Settings > Updates > Agent Packages.
-
At the top of the Agent Distribution window click "Download Administrative Templates for Windows Server" to download the template file.
- Copy the template file to the domain server or another Windows system with access to the Central Store or local PolicyDefinitions directory.
- On the Windows system, double-click the msi file to start the installation wizard.
- Click through the installation wizard.
- Browse to
Program Files\Bradford Networks\Administrative Templates\admx. - Copy the
Bradford Networks.admxanden-USdirectory to thePolicyDefinitionsdirectory of your central store. - Open the Group Policy Editor and navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Browse to Computer Configuration > Administrative Templates > Bradford Networks.
Install GPO template
- In FortiNAC select Policy > Agent Distribution.
- At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
- Copy the template file to the domain server.
- On the domain server, double-click the msi file to start the installation wizard.
- Click through the installation wizard. At the end, the Microsoft Group Policy Management Console will be launched, if available.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, shows the current templates pop-up.
- Click Add and browse to
Program Files\Bradford Networks\Administrative Templates. - Select
Bradford Persistent Agent.admand click Open. - Click Close, and the administrative templates will be imported into the GPO.
Install an updated template
Occasionally new templates are made available to incorporate additional features. If you already have a Fortinet Administrative Template installed but it does not have Balloon Notifications enabled, follow the instructions below to update it. If you do have Balloon Notifications enabled, see Agent packages for instructions on installing an updated template.
- On your Windows server open the Group Policy Management Tool.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Right-click Computer Configuration > Administrative Templates and select Add/Remove Templates, to show the current templates pop-up.
- Select the old template and click Remove. Follow the instructions above to install the new template.
Persistent Agent settings
The table below outlines settings that can be configured for the Persistent Agent.
|
Setting |
Options |
|---|---|
|
Allowed Ciphers and Authentication Schemes |
Indicates the cipher and authentication schemes that can be used. |
|
CA Trust Length/ Depth |
Indicates how deep a chain of certificates to allow between the server's certificate and the certificate's Central Authority. |
|
CA File path |
The absolute path to a file containing root and intermediate CA certificates in PEM format. |
|
Security |
Indicates whether security is enabled or disabled. Note: This option is no longer available with agent 5.3 and greater. Security is always enabled. |
|
Home Server |
The fully qualified hostname of the default server with which the agent should communicate. If this server is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP. |
|
Allowed Servers |
In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Server or FortiNAC Servers with which the agent can communicate. |
|
Restrict Roaming |
If enabled, the agent communicates only with its Home Server and servers listed under Allowed Servers. If disabled, the agent searches for additional servers when the home server is unavailable. |
|
maxConnectInterval |
The maximum number of seconds between attempts to connect to FortiNAC. Data Type: Integer Default: 960 |
|
Last Connected Server |
Server that the agent last connected to and with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this server is not set, it is automatically discovered using Server Discovery. |
|
Discover Servers, Priority, and Ports |
Enable or Disable the Agent Discovery Features. Requires Persistent Agent 5.3.0 or newer. |
|
Refer to the Registry Keys section in Administrative templates for GPO for more information about the registry keys that correspond to the Persistent Agent settings. |
Registry keys
The table below shows the host's registry keys that are not modified by the Group Policy Object. These keys can be set manually.
|
Key |
Value |
Data |
|---|---|---|
|
Persistent Agent |
||
|
HKLM\Software\Bradford Networks\Client Security Agent For 64-bit operating systems see Note. |
ServerIP |
The fully qualified hostname to which the agent should communicate. Data Type: String Default: ns8200 |
|
HKLM\Software\Bradford Networks\Client Security Agent For 64-bit operating systems see Note. |
ClientStateEnabled |
0: Do not show balloon notifications on status changes. 1: Show balloon notifications on status changes. Data Type: DWORD Default: 1 |
|
HKLM\Software\Bradford Networks\Client Security Agent |
ShowIcon |
0: Do not show the tray icon. 1: Show the tray icon. Data Type: DWORD Default: Not Configured (Tray icon displayed) |
|
HKLM\Software\Bradford For 64-bit operating systems see Note. |
allowedServers |
Comma-separated list of fully qualified hostnames with the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com). Data Type: String Default: Empty |
|
HKLM\Software\Bradford |
homeServer |
The fully qualified hostname of the default server with which the agent should communicate. Data Type: String Default: Empty |
|
HKLM\Software\Bradford |
restrictRoaming |
0: Do not restrict roaming. Allow agent to communicate with any server. 1: Restrict roaming to the home server and the allowed servers list. Data Type: Integer Default: 0 |
|
HKLM\Software\Bradford |
securityEnabled |
0: Disable Agent Security. 1: Enable Agent Security Data Type: Integer Default: 1 Agent 5.3 and greater: Security is always enabled. |
|
HKLM\Software\Bradford |
ServerIP |
The fully qualified hostname to which the agent should communicate. Data Type: String Default: ns8200 |
|
HKLM\Software\Bradford For 64-bit operating systems see Note. |
maxConnectInterval |
The maximum number of seconds between attempts to connect to FortiNAC. Data Type: Integer Default: 960 |
|
HKLM\Software\Bradford Networks\Client Security Agent For 64-bit operating systems see Note. |
lastConnectedServer |
The last server that the Agent successfully connected to. This will be automatically populated by the agent upon successfully connection to a server discovered through SRV records, or from homeServer, or allowedServers list. This value will remain unchanged until the lastConnectedServer is unreachable by the agent and the agent has connected to another server. Data Type: String Default: Empty |
|
HKLM\Software\Bradford Networks\Client Security Agent HKLM\Software\wow6432node |
discoveryEnabled |
Enable or Disable Discovery via SRV. The agent will search for SRV Records to prioritize servers and override default ports. If connections to servers are not limited, agents will connect to the discovered server names as well. 0: Disable Discovery. 1: Enable Discovery Data Type: DWORD Default: 1 |
|
|
On 64-bit operating systems in RegEdit, these registry values will appear in the following key: |
|
|
Disabling the tray icon via the registry requires the Persistent Agent. |
|
|
Individual User keys are required only when the user’s settings differ from those for a group of users. Typically, keys are set based on a group of users who have a common Policy using the HKLM\Software\Bradford Networks\Client Security Agent key shown in the table. |