Methinks this might be a question of which pair of sunglasses you set up, so to speak.
To some extent, each vendor follows it's own assumptions and work flow. It might be cumbersome and sometimes impossible to exactly copy the work flow from one vendor to the other.
Some thoughts on your questions:
- 50 web portals are not enough? Given that the 800D is not the smallest FGT and that some limits are hardware dependent (see maximum-values-matrix) it might just be that Fortinet does not envision that you create one web portal per user. In reality I have never had to set up more than a handful of portals.
Besides, why not use tunnel mode and the FortiClient? Web portals do have their limitations as they use proxies for a limited number of protocols. Using RDP over an SSL VPN tunnel might just work for your environment.
- then, if you resort to using the FortiClient anyway, why not switch to IPsec VPN? much more stable, substantially less CPU load on the FGT, proven and traffic-agnostic. This is what I deploy nearly all the time.
- AD: username is case sensitive? And, why mention? "it's not a bug, it's a feature".
- LDAP users: usually, I set up a remote usergroup in such a way that a user is authenticated against one AD subtree containing several groups. The test is "member-of" only. Used in dial-in VPNs and firewall policies. I would not use individual users (remote or local) in policies because then additions and changes would force you to work on the policy set. Instead, policies use usergroups, and changes are applied to usergroups only.
2FA is a complication I admit. This might be doable on a FGT but maybe you would need a FAC (FortiAuthenticator) appliance for special needs.
And as a last advice I would try to get professional (local) help from a seasoned Fortinet partner, or Fortinet itself. You can accomplish a lot yourself but there's a limit. You're tapping in on one resource, the User forum, but maybe need more resources.
"Kernel panic: Aiee, killing interrupt handler!"