Skip to main content
PeterK
PeterK
Visitor III
November 7, 2018
Question

Are you having a lot of issues with the remote access solution?

  • November 7, 2018
  • 1 reply
  • 7211 views

Hi All

 

We migrated from another Firewall with a separate VPN box to know using the Fortigate 800D all in one solution.  However we have run into multiple problems.  There is no English UK keyboard for RDP connections through the RAS web page, although I understand this has now been fixed by OS 6.2.  We are finding it a limited amount of portals (50).  The username from Active Directory is case sensitive.  You can only link the user to one portal (our other system let you be in one profile and then let you pick up more  below if you did uncheck a box).  A major issue is groups.  Creating a local group on the Firewall works with local users, and you can then use that group in policies work.  Mapping to an Active Directory Security group also works but this then does not use the two factor authentication which we need to use.  Creating a Firewall group though and adding LDAP users does not work.  The LDAP users work added to the Firewall policies individually but not as a group which is a nightmare to setup and manage.  Wondering if others had these issues with the RAS and if you had ended up using an external box?

 

Thanks

 

Peter

    1 reply

    PeterK
    PeterKAuthor
    Visitor III
    November 20, 2018

    Assume this is just  me then?

    PeterK
    PeterKAuthor
    Visitor III
    December 7, 2018

    Anyone?  Are you finding the remote access fine or having issues?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    December 7, 2018

    Methinks this might be a question of which pair of sunglasses you set up, so to speak.

    To some extent, each vendor follows it's own assumptions and work flow. It might be cumbersome and sometimes impossible to exactly copy the work flow from one vendor to the other.

     

    Some thoughts on your questions:

    - 50 web portals are not enough? Given that the 800D is not the smallest FGT and that some limits are hardware dependent (see maximum-values-matrix) it might just be that Fortinet does not envision that you create one web portal per user. In reality I have never had to set up more than a handful of portals.

    Besides, why not use tunnel mode and the FortiClient? Web portals do have their limitations as they use proxies for a limited number of protocols. Using RDP over an SSL VPN tunnel might just work for your environment.

     

    - then, if you resort to using the FortiClient anyway, why not switch to IPsec VPN? much more stable, substantially less CPU load on the FGT, proven and traffic-agnostic. This is what I deploy nearly all the time.

     

    - AD: username is case sensitive? And, why mention? "it's not a bug, it's a feature".

     

    - LDAP users: usually, I set up a remote usergroup in such a way that a user is authenticated against one AD subtree containing several groups. The test is "member-of" only. Used in dial-in VPNs and firewall policies. I would not use individual users (remote or local) in policies because then additions and changes would force you to work on the policy set. Instead, policies use usergroups, and changes are applied to usergroups only.

     

    2FA is a complication I admit. This might be doable on a FGT but maybe you would need a FAC (FortiAuthenticator) appliance for special needs.

     

    And as a last advice I would try to get professional (local) help from a seasoned Fortinet partner, or Fortinet itself. You can accomplish a lot yourself but there's a limit. You're tapping in on one resource, the User forum, but maybe need more resources.

    Terms & ConditionsAccessibility statement