Skip to main content
Ralph1973
Ralph1973
New Member
November 2, 2015
Solved

first user needs to authenticate, subsequent users don't

  • November 2, 2015
  • 1 reply
  • 6043 views

Hello, we have an annoying issue here with user authentication to an IIS server through a Fortigate 240d (FortiOS 5.2.3) cluster.

I have made a policy that allows connection from the internet for the usergroup rds-users

source interface: wan1

source address: all

source users: rds-users

outgoing interface: inside

destination address: vip of iis server (static nat)

service: https

 

What happens is that, when you connect to this vip address from the internet, you get the Fortinet authentication portal, where you have to enter your (AD) username, password en fortitoken. When succesful authenticated, you can enter the company webportal.

This works great, however.... The next user that originates from the same public ip address, don't have to go through the authentication and is directly redirected to the webportal (!)

 

I haven't found a workaround for this yet, maybe anyone has an idea how to solve this issue?

 

Thank you and regards,

Ralph Willemsen

Arnhem, Netherlands

 

Best answer by gschmitt

There is no workaround, the authentication works on an IP base.

1 reply

gschmitt
gschmittAnswer
New Member
November 2, 2015

There is no workaround, the authentication works on an IP base.

Ralph1973
Ralph1973Author
New Member
November 2, 2015

thank you, that is what I was afraid of :(

 

Regards, Ralph

gschmitt
gschmitt
New Member
November 2, 2015

Ralph1973 wrote:

thank you, that is what I was afraid of :(

 

WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?

 

Go to VPN > SSL > Portals and create a new Web Portal

Uncheck Tunnel Mode and check Enable Web Mode

Under Predefined Bookmarks hit Create New and see if that suits your needs

 

From your group name I gather you are trying to publish a Remote Web Access site from MS? Give me a status if that works, I think I got the exact same setup but sadly the guy before me let the "IP based auth" stand as it is :\

Terms & ConditionsAccessibility statement