Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarcusCope
New Contributor II

Allow 'Email / VoIP / Slack / Teams' traffic without Azure AD Firewall Authentication

I've configure the FortiGate on our network to authenticate firewall traffic using Azure AD as the IdP. All Internet access works as expected once each user has authenticated to Azure.

 

Users are complaining that first thing in a morning several applications (Teams, Slack, Outlook, Softphones, etc) are not working until they manually launch their browser (which in turn authenticates them to the FortiGate). Something that some of them forget to do!

 

Is there a way I can exempt these applications so that they work regardless of whether or not the user has authenticated to the FortiGate?

1 Solution
Debbie_FTNT

Hey Marcus,

I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.

It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.

You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.

If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.

If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

6 REPLIES 6
Debbie_FTNT
Staff
Staff

Hey Marcus,

you would essentially need exemption policies; a policy on top of the default internet policy with no authentication requirements (no user group).

What shape that takes depends a bit on your setup and how authentication is triggered, and if this is an explicit proxy setup, then it will be very tricky if not impossible, because authentication requirements for proxy are somewhat divorced from the proxy policies.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
MarcusCope

Hi Debbie,

Thanks for the reply, here is a screenshot of our Internet access policy -

MarcusCope_0-1649665242364.png

I've placed authentication exemption rules before the general Internet access policy, e.g.

MarcusCope_1-1649665735693.png

These rules don't have any authentication requirements.

 

First thing in the morning, users receive the follow notification - 

MarcusCope_2-1649666842740.png

When they click on the 'Tap to open the browser and connect' - their default web browser opens at a Captive Portal and redirected to Azure AD. This all works fine!

MarcusCope_3-1649667106566.png

The problem is, if they miss this message and don't need to use the Internet - all their services are not connecting.

MarcusCope_4-1649667357347.png

 

I hope this makes sense!

 

Debbie_FTNT

Hey Marcus,

yes it makes sense.

Do you also have exemptions on the captive portal itself?

Debbie_FTNT_0-1649753252510.png

In addition to the policy, you would have to add the services/destinations you want exempt there.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
MarcusCope

Hi Debbie,

 

Your solution works for our phone system and email (AWS WorkMail). Thanks for this :) 

 

My only issue now is Slack and Microsoft Teams. Both these applications use Port 443 and have lots of different destination IP addresses. When I created the firewall rules for these applications, I got the option to select  an 'Internet Service', but in the Captive Portal exception list I don't get this option.

 

Is there a way around this?

 

Thanks again for your help!

MarcusCope_0-1649925966431.png

 

 

Debbie_FTNT

Hey Marcus,

I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.

It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.

You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.

If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.

If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
MarcusCope

Hi Debbie, thanks for all your help :)

 

As you stated, I will reach out to our sales partner.

Top Kudoed Authors