Skip to main content
osaris
osaris
New Member
February 5, 2019
Question

Identity base rule from wan to lan

  • February 5, 2019
  • 1 reply
  • 2654 views

Hello,

 

I'm running a FG60E, I'd like my users to login through a "captive portal" before being able to access internal RDP servers by NAT. I can't use a VPN/SSL VPN because my users are connecting from various computers every day and can't install Forticlient on each (they are not admin), and RDP Web isn't acceptable for their job. I'll add 2FA to increase security.

 

I created a rule from WAN to LAN with a VIP for my NAT, it works well. Then I added a user to my rule (so it becomes "Identity based ?"), now I cannot connect to RDP through NAT (make sense) but I cannot login, I don't know where to login ?

 

I have enabled HTTP, HTTPS etc protocols in my authentication settings.

 

Any help appreciated !

 

Regards

    1 reply

    lobstercreed
    lobstercreed
    New Member
    February 5, 2019

    Hi Raphaël,

    I'm afraid the answer is that VPN is exactly what you need.  As far as I know (I'd be happy to be proven wrong), there's fundamentally no way to force a user to a "captive portal" from several router hops away.  This can only be done if they are on an internal network to require login before accessing other networks.

    I'm afraid you'll have to work with someone who is an admin on their computers to install FortiClient.

    - Daniel

    osaris
    osarisAuthor
    New Member
    February 5, 2019

    I'm using something similar to what I want to achieve to connect to one of our customer RDP server. I need to login on a captive portal (Zywall USG) then I can make a RDP session through NAT.

     

    I understand it's not as secure as a VPN but the portal could store my remote IP, computer name etc and then allow other rules (RDP) based on that.

    Terms & ConditionsAccessibility statement