A network administrator is deploying FSSO in DC agent mode for a Windows Active Directory domain with three domain controllers. Each user logon must be captured and forwarded to the collector agent so that the FortiGate can apply identity-based policies. Which component must be installed on each monitored domain controller for this mode to function?
- AA DC agent (dcagent.dll) registered on every monitored domain controller, which intercepts logon events and forwards them to the collector agent. Correct
- BA collector agent installed directly on every domain controller, so each controller independently sends user-to-IP mappings to the FortiGate.
- CA TS agent on each domain controller to track per-session source ports for users sharing one host.
- DThe FortiGate polling service enabled against each controller, removing the need for any agent on the controllers.
Why A is correct: DC agent mode requires the FSSO DC agent to be installed on each domain controller; it hooks logon events at the source and pushes them to the collector agent, which is the defining characteristic of this mode.
Why B is wrong: It is tempting because the collector agent is central to FSSO, but in DC agent mode the collector is a single (or redundant) service that aggregates events from DC agents, not a per-controller component that talks to the FortiGate alone.
Why C is wrong: The TS agent is used for Citrix or Terminal Server environments to distinguish users on a shared host by port range, not for capturing standard domain controller logon events.
Why D is wrong: This describes agentless polling mode rather than DC agent mode; the question explicitly specifies DC agent mode, which depends on an installed DC agent rather than FortiGate-initiated polling.