Fortinet black logo

Persistent Agent Deployment and Configuration

Home FortiNAC-F 7.2.0 Persistent Agent Deployment and Configuration
7.2.0
7.4.0
7.2.0

Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

The above example shows three locations:

  • Server 1P Application Server and Server 1S Application Server in a High Availability pair at Location A.

  • Server 2 Application Server at Location B.

  • Server 3 Application Server at Location C.

  • Production domain server with SRV records for locations A, B and C.

  • There are no ACLs configured between sites to block agent traffic.

Use Case 2 Requirements

  • Single software image will be pushed to locations A & B.

  • Agent communications allowed with Locations A & B only.

One SSL Certificate will be used for all FortiNAC appliances.

Use Case 2 Recommended Settings and Configurations

Persistent Agent Settings Configured via Software

Security

enabled

Allowed Servers

Server1P.a.domain.com

Server1S.b.domain.com

Server2.c.domain.com

Restrict Roaming

Enabled

Login Dialog

disabled

System Tray Icon

disabled

FortiNAC Settings

"Require Connected Adapter" Feature

enabled

Certificate Type for Persistent Agent Target

SAN or wildcard Certificate

Use Case 2 Scenarios: Persistent Agent Discovery - Host Connects to Location A

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

(none)

1P

(none)

Server1P

1S

Server1S

Server2

Server Connection List Order

Server1P (SRV and Allowed Servers List)

Server1S (SRV and Allowed Servers List)

Server2 (Next in Allowed Servers List)

Since SRV records were received for 1P and 1S and they are part of the Allowed Servers list, they will be prioritized. Since both the Last Connected Server and Home Server entries are empty, the agent will then proceed to attempt connection based on the Allowed Servers list.

Resulting behavior:

  1. Agent attempts to communicate with Server1P. Server1P is active and sees the host online so it responds.

  2. Both the Last Connected Server and Home Server entries are populated with Server1P.

Last Connected Server

Home Server

(Default Location)

Allowed Servers

Server1P

Server1P

Server1P

Server1S

Server2

The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location A to B

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

Server1P

Server2

Server1P

Server1P

Server1S

Server2

Server Connection List Order

Server2 (SRV and in Allowed Servers List)

Server1P (Last Connected Server and Home Server)

Server1S (Next in Allowed Servers List)

Resulting behavior:

  1. Agent attempts to communicate with Server2. Server2 is active and sees the host online so it responds.

  2. The Last Connected Server entry is updated to Server2.

Last Connected Server

Home Server

(Default Location)

Allowed Servers

Server2

Server1P

Server1P

Server1S

Server2

The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location B to C

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

Server2

Server3

Server1P

Server1P

Server1S

Server2

SRV record was received for Server3, but Server3 is not in the Allowed Servers List. Since Restrict Roaming is enabled, the agent will not attempt to connect to Server3.

Server Connection List Order

Server2 (Last Connected Server)

Server1P (Home Server and first in Allowed Servers List)

Server1S (Next in Allowed Servers List)

Resulting behavior:

  1. Agent attempts to communicate with Server2. Server2 sees the host offline, so it directs the agent to try the next server.

  2. Agent attempts to communicate with Server1P. Server1P sees the host offline, so it directs the agent to try the next server.

  3. Agent attempts to communicate with Server1S. Server1S is in standby and does not respond.

Previous
Next

Use Case 2: Agent Distributed Via Software Management (DNS Sub Domains)

The above example shows three locations:

  • Server 1P Application Server and Server 1S Application Server in a High Availability pair at Location A.

  • Server 2 Application Server at Location B.

  • Server 3 Application Server at Location C.

  • Production domain server with SRV records for locations A, B and C.

  • There are no ACLs configured between sites to block agent traffic.

Use Case 2 Requirements

  • Single software image will be pushed to locations A & B.

  • Agent communications allowed with Locations A & B only.

One SSL Certificate will be used for all FortiNAC appliances.

Use Case 2 Recommended Settings and Configurations

Persistent Agent Settings Configured via Software

Security

enabled

Allowed Servers

Server1P.a.domain.com

Server1S.b.domain.com

Server2.c.domain.com

Restrict Roaming

Enabled

Login Dialog

disabled

System Tray Icon

disabled

FortiNAC Settings

"Require Connected Adapter" Feature

enabled

Certificate Type for Persistent Agent Target

SAN or wildcard Certificate

Use Case 2 Scenarios: Persistent Agent Discovery - Host Connects to Location A

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

(none)

1P

(none)

Server1P

1S

Server1S

Server2

Server Connection List Order

Server1P (SRV and Allowed Servers List)

Server1S (SRV and Allowed Servers List)

Server2 (Next in Allowed Servers List)

Since SRV records were received for 1P and 1S and they are part of the Allowed Servers list, they will be prioritized. Since both the Last Connected Server and Home Server entries are empty, the agent will then proceed to attempt connection based on the Allowed Servers list.

Resulting behavior:

  1. Agent attempts to communicate with Server1P. Server1P is active and sees the host online so it responds.

  2. Both the Last Connected Server and Home Server entries are populated with Server1P.

Last Connected Server

Home Server

(Default Location)

Allowed Servers

Server1P

Server1P

Server1P

Server1S

Server2

The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location A to B

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

Server1P

Server2

Server1P

Server1P

Server1S

Server2

Server Connection List Order

Server2 (SRV and in Allowed Servers List)

Server1P (Last Connected Server and Home Server)

Server1S (Next in Allowed Servers List)

Resulting behavior:

  1. Agent attempts to communicate with Server2. Server2 is active and sees the host online so it responds.

  2. The Last Connected Server entry is updated to Server2.

Last Connected Server

Home Server

(Default Location)

Allowed Servers

Server2

Server1P

Server1P

Server1S

Server2

The next time the agent attempts to communicate, unless the agent receives a DNS record from a different server in the list, the agent will try to connect to the Last Connected Server first.

Use Case 2 Scenarios: Persistent Agent Discovery Roams from Location B to C

Last Connected Server

SRV Records Received

Home Server

(Default Location)

Allowed Servers

Server2

Server3

Server1P

Server1P

Server1S

Server2

SRV record was received for Server3, but Server3 is not in the Allowed Servers List. Since Restrict Roaming is enabled, the agent will not attempt to connect to Server3.

Server Connection List Order

Server2 (Last Connected Server)

Server1P (Home Server and first in Allowed Servers List)

Server1S (Next in Allowed Servers List)

Resulting behavior:

  1. Agent attempts to communicate with Server2. Server2 sees the host offline, so it directs the agent to try the next server.

  2. Agent attempts to communicate with Server1P. Server1P sees the host offline, so it directs the agent to try the next server.

  3. Agent attempts to communicate with Server1S. Server1S is in standby and does not respond.

Previous
Next