Force User Authentication over Explicit Proxyy

Forum|Forum|7 years ago
December 15, 2018
2 replies
3960 views

Hi all forum gurus

Right now we are moving from our old MS TMG to Fortigate 1000D.

Got a question about Proxy policy

First, have to tell that all users in our organization have have proxy settings enable in their browsers

How to force authenticate a users from a specified IP source.

I've setup some testing rules (attaches picture) but I can't get it work for Terminal Servers IP groups.Seems users not authenticated ...

proxypolicies.jpg

xsilver_FTNT

Staff

Hi,

policy like #2 is not gonna get hit as there is any-any-accept .. easier way without authentication.

So first get rid of any-any-accept stuff .. this is firewall and default rule is deny.

All you configure are exceptions for those you would like to explicitly allow through under some conditions.

Then to apply authentication user for example need to come through port which spawns captive portal.

Or user can be pre-authenticated via FSSO (and for Terminal Servers best equipped with TSAgent), or handle all on session basis via Explicit proxy policies ..

Docs.fortinet.com and Authentication guide has a lot of tips.

Specific scenarios are on Cookbooks site.

baggins

New Member

Hi,

You need to play with this ones:

(my sample configuration)..

config authentication scheme edit "ntlm" set method ntlm next edit "fsso" set method fsso next end config authentication rule edit "proxytest" set srcaddr "all" - here you can define who will be authenticated...but there are more options.. set active-auth-method "ntlm" set sso-auth-method "fsso" next end config authentication setting set active-auth-scheme "ntlm" end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded