Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarcusCope
New Contributor II

Created on ‎04-08-2022 02:12 AM

Allow 'Email / VoIP / Slack / Teams' traffic without Azure AD Firewall Authentication

I've configure the FortiGate on our network to authenticate firewall traffic using Azure AD as the IdP. All Internet access works as expected once each user has authenticated to Azure.

 

Users are complaining that first thing in a morning several applications (Teams, Slack, Outlook, Softphones, etc) are not working until they manually launch their browser (which in turn authenticates them to the FortiGate). Something that some of them forget to do!

 

Is there a way I can exempt these applications so that they work regardless of whether or not the user has authenticated to the FortiGate?

Labels:
1504
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to MarcusCope

Created on ‎04-20-2022 01:34 AM

Hey Marcus,

I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.

It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.

You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.

If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.

If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

1454
0 Kudos
6 REPLIES 6
Debbie_FTNT
Staff
Staff

Created on ‎04-08-2022 04:21 AM

Hey Marcus,

you would essentially need exemption policies; a policy on top of the default internet policy with no authentication requirements (no user group).

What shape that takes depends a bit on your setup and how authentication is triggered, and if this is an explicit proxy setup, then it will be very tricky if not impossible, because authentication requirements for proxy are somewhat divorced from the proxy policies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1462
0 Kudos
MarcusCope
New Contributor II
In response to Debbie_FTNT

Created on ‎04-11-2022 02:00 AM

Hi Debbie,

Thanks for the reply, here is a screenshot of our Internet access policy -

MarcusCope_0-1649665242364.png

I've placed authentication exemption rules before the general Internet access policy, e.g.

MarcusCope_1-1649665735693.png

These rules don't have any authentication requirements.

 

First thing in the morning, users receive the follow notification - 

MarcusCope_2-1649666842740.png

When they click on the 'Tap to open the browser and connect' - their default web browser opens at a Captive Portal and redirected to Azure AD. This all works fine!

MarcusCope_3-1649667106566.png

The problem is, if they miss this message and don't need to use the Internet - all their services are not connecting.

MarcusCope_4-1649667357347.png

 

I hope this makes sense!

 

1453
0 Kudos
Debbie_FTNT
Staff
Staff
In response to MarcusCope

Created on ‎04-12-2022 01:48 AM

Hey Marcus,

yes it makes sense.

Do you also have exemptions on the captive portal itself?

Debbie_FTNT_0-1649753252510.png

In addition to the policy, you would have to add the services/destinations you want exempt there.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1442
0 Kudos
MarcusCope
New Contributor II
In response to Debbie_FTNT

Created on ‎04-14-2022 01:47 AM

Hi Debbie,

 

Your solution works for our phone system and email (AWS WorkMail). Thanks for this :) 

 

My only issue now is Slack and Microsoft Teams. Both these applications use Port 443 and have lots of different destination IP addresses. When I created the firewall rules for these applications, I got the option to select  an 'Internet Service', but in the Captive Portal exception list I don't get this option.

 

Is there a way around this?

 

Thanks again for your help!

MarcusCope_0-1649925966431.png

 

 

1435
0 Kudos
Debbie_FTNT
Staff
Staff
In response to MarcusCope

Created on ‎04-20-2022 01:34 AM

Hey Marcus,

I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.

It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.

You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.

If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.

If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1455
0 Kudos
MarcusCope
New Contributor II
In response to Debbie_FTNT

Created on ‎04-21-2022 12:58 AM

Hi Debbie, thanks for all your help :)

 

As you stated, I will reach out to our sales partner.

1401
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.