Scenario

I've built a small lab with some Windows machines, Active Directory, FortiGate and FSSO:

  • Win 2012 R2 as DC + DC Agent installed (v5.0.0256)
  • Win 2012 R2 + Collector installed (v5.0.0256)
  • Win 10 as a client
  • FortiGate v5.4.5 configured for FSSO, Agent Polling mode, HA pair

Case

Upgrade FortiGate to v6.2.0

Issue

Based on FortiOS v6.2.0 Release Notes, minimum required FSSO version is v5.0.0276

5.0 build 0276 and later (needed for FSSO agent support OU in group filters)

A similar statement is in FortiOS v5.4.5 Release Notes:

5.0 build 0256 and later (needed for FSSO agent support OU in group filters)

However, when FortiOS v5.4.5 Release Notes were published, no one was aware of newer FSSO agents version and there is no official confirmation that this setup was successfully tested by Fortinet.

Official FSSO upgrade procedure:

  1. Go to the system32 directory on all DC's and rename the dcagent.dll file to dcagent.dll.old. This ensures the when the upgrade is pushed to the DC it does not overwrite the old file. If there are any problems this makes it easy to revert to the old version.
  2. Run the FSSO setup .exe file to update the collector. When this is completed, ignore any reboot message.
  3. Go to Programs > Fortinet > Fortinet Single Sign-On Agent > Install DC Agent and push the DC agent out to all servers. All DC's will now need to be rebooted so that the new DLL file is loaded.
  4. After the reboot, go to all DC’s and delete the dcagent.dll.old files

Question

Do I have to upgrade DC Agent and Collector during the same change window and prepare for an environment downtime, or can I upgrade all my DC Agents and Collectors independently, one by one, and have always at least one DC and 1 Collector up and running?

Answer

Don't worry and upgrade slowly! I configured some user accounts and groups. The environment was 100% functional. Then I upgraded just a Collector to version v5.0.0276, so I had:

  • FortiGate in old version (192.168.37.200)
  • AD Agent in old version (192.168.37.101)
  • AD Collector in new version (192.168.37.102)

Outcome: FSSO working fine, even configuration is not officially supported by Fortinet.

FGT3 # diagnose debug authd fsso server-status

FGT3 #
Server Name     Connection Status     Version           Address
-----------     -----------------     -------           -------
FSSO            connected             FSSO 5.0.0276     192.168.37.102