Description
This article describes limitations for Fortinet Single-Sign-On and Terminal Server setup as relates to non-TCP/UDP traffic.
Solution
Fortinet Single-Sign-On (FSSO) is a Fortinet Product that allows passive user authentication in an Active Directory Environment by reading user logins from Domain Controllers and providing this information to FortiGate.
In the case of Terminal Servers, an agent software must be run on the terminal servers to allow FSSO and FortiGate to distinguish between multiple users on the same host.
This is done by allocating a source-port range to each user:
- User A might use source port 1500-1999.
- User B might use source port 2000-2499.
- User C might use source port 2500-2999.
- etc.
However, this in turn causes issues for any traffic that has no source port, such as ICMP traffic.
In that case, because FortiGate relies on a source port to determine which user generated the traffic, it is unable to identify a user.
Any non-TCP/UDP traffic coming from Terminal Servers is in effect considered unauthenticated.
Any traffics need to be generated from Terminal Servers in an FSSO environment, a specific policy exempting this traffic from authentication is required, such as creating an exemption policy for ICMP traffic to allow Terminal Server users to send a ping.
