I am replacing Juniper SSG Firewalls at a clients site with Fortigate 60E Units. Everything setup fine except one inbound policy the Junipers managed before. We have an RDP server at the site and remote users would need to authenticate against the Juniper Firewall before RDP was available (so the RDP is not open the world for hacking). The method used was we had a simple website running on an internal webserver that the remote user would browse to (via DNS name pointing to Virtual IP) and an authentication windows would pop up (from the Firewall), once a local firewall user credentials were entered the website would then load up (the site was simply a page we created to say firewall authentication was successful) then any another policy that also had 'Auth' enabled was available to the user that had successfully authenticated so the user could RDP direct to the RDP server.
I see forums and posts about creating policies to allow internal people access to outside resources but this is a need for Firewall authentication for remote people accessing internal (RDP) resource, as I say this means RDP is not open until you authenticate against the firewall. I've created the local Firewall user and created a Group and added the local Firewall user to the group, I just don't see how to only have the policy active once the user is authentication.
Any help, much appreciated.
Thanks,
Matt.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You didn't mention what forties version, but you need a identity-based policy. Take a look at my blog post a few years back.
http://socpuppet.blogspot.com/2014/11/fortigate-identity-policies-trouble.html
ID based has changed over the various fortiOS version, I'll post a new followup post, since v5.4 and v5.6 has been out since that posting. I don't know if you can do RDP tho and that would be your biggest challenge ;)
You might be better off using a SSLVPN webportal and with a RDP bookmark for just that RDP-server(s) that you want to allow. It would satisfy the same requirement, provide full encryption and than easier to manage if you add more users or more RDP webtops.
Ken
PCNSE
NSE
StrongSwan
Thanks Ken, the Fortinet Device and version being used here is a Fortigate 60E version v5.4.3,build5873, Was hoping it was something achievable via the Web management GUI?
Matt.
The process is simple, build the fwpolicy , select the user ( it's the tab on the right side when your in the fwpolicy ) Select the user and group and submit the policy.
Ken
PCNSE
NSE
StrongSwan
Hi,
access from outer to internal RDP .. sounds as authenticated VIP.
But as emnoc posted and I will agree it would be more secure to build VPN solution for the remote users (road_warriors) to access your RDP. Then it will be identity based policy from "internal" side of VPN to those RDP servers. As via VPN user will be already authenticated, trusted, and more over WHOLE COMMUNICATION TO RDP ENCRYPTED over the internet!
Which VPN solution you'll choose is up to you.
Newer OS even Win10 has native IPSec support and I would, personally, choose that over SSL tunnel mode (where I would prefer tunnel SSL over web portal SSL access, but I agree that building web portal with RDP bookmark might seems to be easiest way).
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.