Technical Note: Using FortiClientSSO with non unique IP
Description
Solution
According to the FortiClient 5.4 Administration Guide, the IP address that FortiClientSSO uses should be unique in the entire network.
However, a non unique IP address can be used if a Global Pre-filter is configured in FortiAuthenticator.
However, a non unique IP address can be used if a Global Pre-filter is configured in FortiAuthenticator.
Solution
1) Create the necessary IP Filtering Rules.
2) Apply the IP filter.
Messages like the ones shown below should start to be seen in the logs:
Fortinet FSSO Methods > SSO > IP filtering > create new
Set either IP ranges/subnets that will be included (="only accept these IP ranges/subnets") or set IP ranges/subnets that will be filtered out.
2) Apply the IP filter.
Fortinet FSSO Methods > SSO > FortiGate filtering > edit Global Pre-filterThe change will apply to already listed FSSO sessions (relevant IPs will be filtered out), and to newly arriving logins from FortiClients.
- Enable IP Filtering.
- Select the created IP filter and save the change.
Messages like the ones shown below should start to be seen in the logs:
06/21/2017 10:01:28 [1024583424] FCT LOGON 2017-06-21-10:01:27/1970-01-01-01:00:00 FortiClient wokrstation1.domain.com/192.168.133.21:10.171.0.79:10.108.16.79 DOMAIN.COM/ADUSER206/21/2017 10:01:28 [1024583424] FCT 10.171.0.79: logon IP has been filtered from
192.168.133.21:10.171.0.79:10.108.16.79 to 10.171.0.79 by global IP filter