Skip to main content
Ditmar
Ditmar
New Member
November 16, 2012
Question

Citrix web access with fortitoken

  • November 16, 2012
  • 9 replies
  • 10682 views
Hi all, we are planning to change our 2 factor authentication from R** Token to fortitoken. It is working fine with forticlient, even sending the code via email is perfect. The next step is to get it working with citrix secure gateway. With our actual system we can authenticate with domain user name, domain password and in another line with PIN and tokencode. This is realized with a plugin to the website. How can I get this with our fortigate (200B)? Thank you for your help.

    9 replies

    hpraxedes
    hpraxedes
    New Member
    November 16, 2012
    Hi, You can' t do this. The Fortigate will not work as a credential server or Radius server. To use fortitokens with other applications you will need to use the FortiAuthenticator, that act as a radius server.
    Ditmar
    DitmarAuthor
    New Member
    November 19, 2012
    Hi hpraxedes, thank you for your quick reply. Is it possible to connect to f.e. citrix web access without having forticlient installed? I didn' t find any information about this. With our actual solution we can connect from any (public) pc without installing software and we would like to have this possibility with fortitoken, too.
    mhe
    mhe
    Explorer II
    November 19, 2012
    You can enable Authentication at the firewall policy. So the user first authenticates to the fortigate and only gets to the web server if this is successful. This added a layer of security to the whole infrastructure. martin
    Ditmar
    DitmarAuthor
    New Member
    November 19, 2012
    but, is this possible without a forticlient ?
    hpraxedes
    hpraxedes
    New Member
    November 19, 2012
    Hi Ditmar, As far as I can understand you scenario. You want to use the Fortitoken on the Citrix authentication is that correct ? If it is, you can' t use WO the fortiauthenticator. But if you want just one more auth layer, you can use the Policy Authentication. The policy auth will display a webpage to the user, once authenticated the policy becomes valid and the access is granted, but the user will need to authenticate on the citrix too. For this scenario you don' t need the forticlient;
    Ditmar
    DitmarAuthor
    New Member
    November 19, 2012
    My favourite version would be authentication in citrix with fortitoken and windows password like we have it now. But I would also be happy with a webpage for first authentication with fortitoken and then a forwarding to the citrix login page. But how can I setup this? I' m not yet so familiar with fortigate.
    hpraxedes
    hpraxedes
    New Member
    November 19, 2012
    Hi Ditmar, If you are using FortiOS 4.0 the configuration should be like this: WEB GUI: To create a identity-based policy - web-based manager 1 Go to Policy > Policy > Policy and select Create New. 2 Enter the following: 3 Select Enable Identity Based Policy. 4 Firewall authentication is enabled by default. 5 Select Add. 6 From the Available User Groups list, select the Accounting user group and select the right arrow to move it to the Selected User Groups area. 7 From the Available Services list, select the HTTPS and select the right arrow to move it to the Selected Services area. 8 For the Schedule, select Always. 9 Select OK.
    mhe
    mhe
    Explorer II
    November 19, 2012
    Correct, works great with FortiTokens too!
    Ditmar
    DitmarAuthor
    New Member
    November 20, 2012
    thank you all for your excellent help, it really works fine in this way.
    Terms & ConditionsAccessibility statement