I've configure the FortiGate on our network to authenticate firewall traffic using Azure AD as the IdP. All Internet access works as expected once each user has authenticated to Azure.
Users are complaining that first thing in a morning several applications (Teams, Slack, Outlook, Softphones, etc) are not working until they manually launch their browser (which in turn authenticates them to the FortiGate). Something that some of them forget to do!
Is there a way I can exempt these applications so that they work regardless of whether or not the user has authenticated to the FortiGate?
Solved! Go to Solution.
Hey Marcus,
I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.
It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.
You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.
If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.
If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.
Hey Marcus,
you would essentially need exemption policies; a policy on top of the default internet policy with no authentication requirements (no user group).
What shape that takes depends a bit on your setup and how authentication is triggered, and if this is an explicit proxy setup, then it will be very tricky if not impossible, because authentication requirements for proxy are somewhat divorced from the proxy policies.
Hi Debbie,
Thanks for the reply, here is a screenshot of our Internet access policy -
I've placed authentication exemption rules before the general Internet access policy, e.g.
These rules don't have any authentication requirements.
First thing in the morning, users receive the follow notification -
When they click on the 'Tap to open the browser and connect' - their default web browser opens at a Captive Portal and redirected to Azure AD. This all works fine!
The problem is, if they miss this message and don't need to use the Internet - all their services are not connecting.
I hope this makes sense!
Hey Marcus,
yes it makes sense.
Do you also have exemptions on the captive portal itself?
In addition to the policy, you would have to add the services/destinations you want exempt there.
Hi Debbie,
Your solution works for our phone system and email (AWS WorkMail). Thanks for this :)
My only issue now is Slack and Microsoft Teams. Both these applications use Port 443 and have lots of different destination IP addresses. When I created the firewall rules for these applications, I got the option to select an 'Internet Service', but in the Captive Portal exception list I don't get this option.
Is there a way around this?
Thanks again for your help!
Hey Marcus,
I'm sorry to say I haven't found an easy workaround to exempt Teams and Slack from captive portal as yet.
It would require a feature request to allow adding Internet Service entries to the captive portal exemptions.
You could manually add FQDNs (probably wildcard FQDNs as well) to the exempt destinations, but that's about all I can suggest.
If that's insufficient, you could open a Technical Support case to see if the engineers then can come up with a solution, but that would be at least a bit out of scope, as TAC support handles break&fix scenarios, not design questions.
If you do want to go the Feature Request route, you can reach out to your Fortinet Sales partner for that.
Hi Debbie, thanks for all your help :)
As you stated, I will reach out to our sales partner.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.