Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SADS_Support
New Contributor

Authentication for Inbound Policy

I am replacing Juniper SSG Firewalls at a clients site with Fortigate 60E Units. Everything setup fine except one inbound policy the Junipers managed before. We have an RDP server at the site and remote users would need to authenticate against the Juniper Firewall before RDP was available (so the RDP is not open the world for hacking). The method used was we had a simple website running on an internal webserver that the remote user would browse to (via DNS name pointing to Virtual IP) and an authentication windows would pop up (from the Firewall), once a local firewall user credentials were entered the website would then load up (the site was simply a page we created to say firewall authentication was successful) then any another policy that also had 'Auth' enabled was available to the user that had successfully authenticated so the user could RDP direct to the RDP server.

 

I see forums and posts about creating policies to allow internal people access to outside resources but this is a need for Firewall authentication for remote people accessing internal (RDP) resource, as I say this means RDP is not open until you authenticate against the firewall. I've created the local Firewall user and created a Group and added the local Firewall user to the group, I just don't see how to only have the policy active once the user is authentication.

 

Any help, much appreciated.

 

Thanks,

 

Matt.

 

4 REPLIES 4
emnoc
Esteemed Contributor III

You didn't mention what   forties version, but you need a identity-based policy. Take a look at  my blog  post a few years back.

 

http://socpuppet.blogspot.com/2014/11/fortigate-identity-policies-trouble.html

 

ID based has changed over the various fortiOS version, I'll post a new followup   post, since v5.4 and v5.6  has been out since that posting. I don't know if you can do  RDP tho and that would be your biggest challenge ;)

 

You might be  better off using a SSLVPN webportal and with  a RDP bookmark for just that  RDP-server(s)  that you want to allow. It would satisfy the same requirement, provide  full encryption and than easier to manage if you add more users or more RDP  webtops.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
SADS_Support

Thanks Ken, the Fortinet Device and version being used here is a Fortigate 60E version v5.4.3,build5873, Was hoping it was something achievable via the Web management GUI?

 

Matt.

 

emnoc
Esteemed Contributor III

The process is simple, build  the fwpolicy , select the user ( it's the  tab on the  right side  when your in the fwpolicy )  Select the  user and group and  submit the policy.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
xsilver_FTNT
Staff
Staff

Hi,

access from outer to internal RDP .. sounds as authenticated VIP.

But as emnoc posted and I will agree it would be more secure to build VPN solution for the remote users (road_warriors) to access your RDP. Then it will be identity based policy from "internal" side of VPN to those RDP servers. As via VPN user will be already authenticated, trusted, and more over WHOLE COMMUNICATION TO RDP ENCRYPTED over the internet!

 

Which VPN solution you'll choose is up to you.

Newer OS even Win10 has native IPSec support and I would, personally, choose that over SSL tunnel mode (where I would prefer tunnel SSL over web portal SSL access, but I agree that building web portal with RDP bookmark might seems to be easiest way).

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors