Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiNAC Manager

    Home FortiNAC 9.4.0 FortiNAC Manager
    9.4.0
    9.4.0
    9.2.0
    9.1.0

    Agent server communications

    Agent server communications

    The sections below provide instructions for securing communications between the agent and the FortiNAC Manager server with a trusted SSL certificate, setting up communication between the agent and the server, and the host registry settings or preferences that can be modified to customize Persistent Agent behavior.

    Implementation

    Update FortiNAC Manager

    Requires FortiNAC Manager version 5.3.3 or higher to enable security.

    You must have the latest Auto-Definition files installed. See Auto-definition updates.

    Certificates

    You must have a separate certificate for each FortiNAC Manager server that runs the captive portal, such as the FortiNAC Manager Application server or the stand-alone FortiNAC Manager Server.

    Certificates must be from a trusted certificate authority (CA), such as VeriSign, Thawte, or GeoTrust.

    Self-signed certificates are not recommended. If you use a self-signed certificate, end users will receive constant pop-up warnings indicating that the site is not secure and asking them to confirm that they wish to continue. In addition, the Mobile Agent absolutely require a certificate from a trusted CA. The Mobile Agent cannot communicate with FortiNAC Manager when Self-signed certificates are used.

    If you already have a certificate that you are using to secure your portal, you can import that certificate into the FortiNAC Manager server configuration and use it for both the portal and agent/server communications.

    If you do not have a certificate for your portal, generate a certificate request and purchase a certificate. When the certificate is returned, import that certificate into the FortiNAC Manager server configuration and use it for both the portal and agent/server communications.

    Persistent Agent, Dissolvable Agent, and the Mobile Agent require the use of a certificate.

    The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC Manager, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC Manager and will not communicate.

    FortiNAC Manager does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

    For instructions on generating and installing SSL certificates, see the document entitled FortiNAC Manager SSL Certificates How To.

    DNS server configuration

    If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard may cause communications issues.

    Example:

    Incorrect DNS suffix for reg: tech-reg.megatech.local

    Correct DNS suffix for reg: tech.megatech-reg.edu

    • On upgrade to V6.0 or higher, SRV records indicating the port and FQDN of the FortiNAC Manager appliance where the portal is located are automatically added to the domain.zone.* files for named. These files are created by the Configuration Wizard, which can also add the SRV records to the domain.zone.* files during the initial appliance configuration.
    • If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC Manager server with which they should communicate.

    • Any references to the FortiNAC Manager server's FQDN in DNS must match the name in the certificate used to secure the portal.

      See DNS server configuration and Agent server discovery.

    Server configuration
    Note

    If the time on FortiNAC Manager is inaccurate and is updated after Agent Security is enabled, Agents may ignore packets received from the server until the agent is restarted because the new timestamp deviates significantly from previous timestamps.

    Make sure that the server is configured to use NTP for time synchronization. Go to System > Settings > System Management > NTP and Time Zone to configure the NTP server. This is typically set during installation.

    Host configuration
    • Host machines should not have the FQDN of the FortiNAC Manager Server or Application Server in the hosts file on the hard drive. Typically network users would not have this information in their hosts file. However, administrator users may have the FQDN in their hosts file to accommodate accessing java applets. Modify the hosts file to use the short name, such as qa233 instead of qa233.example.com. If a host has the FQDN in its hosts file, the Persistent Agent cannot communicate with the FortiNAC Manager Server or Application Server and cannot register the host.
    • For Windows hosts, download and configure Administrative Templates for Group Policy Objects to update the registry on each host with values that pertain to agent security.
    • For macOS hosts, update Preferences to provide security values to the agent.

    See Persistent Agent on Windows.

    Previous
    Next

    Agent server communications

    Agent server communications

    The sections below provide instructions for securing communications between the agent and the FortiNAC Manager server with a trusted SSL certificate, setting up communication between the agent and the server, and the host registry settings or preferences that can be modified to customize Persistent Agent behavior.

    Implementation

    Update FortiNAC Manager

    Requires FortiNAC Manager version 5.3.3 or higher to enable security.

    You must have the latest Auto-Definition files installed. See Auto-definition updates.

    Certificates

    You must have a separate certificate for each FortiNAC Manager server that runs the captive portal, such as the FortiNAC Manager Application server or the stand-alone FortiNAC Manager Server.

    Certificates must be from a trusted certificate authority (CA), such as VeriSign, Thawte, or GeoTrust.

    Self-signed certificates are not recommended. If you use a self-signed certificate, end users will receive constant pop-up warnings indicating that the site is not secure and asking them to confirm that they wish to continue. In addition, the Mobile Agent absolutely require a certificate from a trusted CA. The Mobile Agent cannot communicate with FortiNAC Manager when Self-signed certificates are used.

    If you already have a certificate that you are using to secure your portal, you can import that certificate into the FortiNAC Manager server configuration and use it for both the portal and agent/server communications.

    If you do not have a certificate for your portal, generate a certificate request and purchase a certificate. When the certificate is returned, import that certificate into the FortiNAC Manager server configuration and use it for both the portal and agent/server communications.

    Persistent Agent, Dissolvable Agent, and the Mobile Agent require the use of a certificate.

    The 3.x Persistent Agent communication method requires not only SSL certificates be installed for the Persistent Agent target in FortiNAC Manager, but also the root certificate be installed on the endstation hosting the agent. The Persistent Agent reads all certificates from the trusted root certification authorities store of the system account. If the CA is not listed in this store, the Persistent Agent will not trust the connection to FortiNAC Manager and will not communicate.

    FortiNAC Manager does not push root certificates to endstations. Root certificates come pre-installed with the host's operating system. Any additions or updates to root certificates are distributed via the host's OS updates.

    For instructions on generating and installing SSL certificates, see the document entitled FortiNAC Manager SSL Certificates How To.

    DNS server configuration

    If you use agents for macOS and some Linux systems, using a .local suffix in Domain fields in the Configuration Wizard may cause communications issues.

    Example:

    Incorrect DNS suffix for reg: tech-reg.megatech.local

    Correct DNS suffix for reg: tech.megatech-reg.edu

    • On upgrade to V6.0 or higher, SRV records indicating the port and FQDN of the FortiNAC Manager appliance where the portal is located are automatically added to the domain.zone.* files for named. These files are created by the Configuration Wizard, which can also add the SRV records to the domain.zone.* files during the initial appliance configuration.
    • If you are unable to configure the agent through Agent Configuration, the same SRV records may be added to the corporate production DNS servers. Agents can then query the DNS servers to determine the FortiNAC Manager server with which they should communicate.

    • Any references to the FortiNAC Manager server's FQDN in DNS must match the name in the certificate used to secure the portal.

      See DNS server configuration and Agent server discovery.

    Server configuration
    Note

    If the time on FortiNAC Manager is inaccurate and is updated after Agent Security is enabled, Agents may ignore packets received from the server until the agent is restarted because the new timestamp deviates significantly from previous timestamps.

    Make sure that the server is configured to use NTP for time synchronization. Go to System > Settings > System Management > NTP and Time Zone to configure the NTP server. This is typically set during installation.

    Host configuration
    • Host machines should not have the FQDN of the FortiNAC Manager Server or Application Server in the hosts file on the hard drive. Typically network users would not have this information in their hosts file. However, administrator users may have the FQDN in their hosts file to accommodate accessing java applets. Modify the hosts file to use the short name, such as qa233 instead of qa233.example.com. If a host has the FQDN in its hosts file, the Persistent Agent cannot communicate with the FortiNAC Manager Server or Application Server and cannot register the host.
    • For Windows hosts, download and configure Administrative Templates for Group Policy Objects to update the registry on each host with values that pertain to agent security.
    • For macOS hosts, update Preferences to provide security values to the agent.

    See Persistent Agent on Windows.

    Previous
    Next