Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Block AD user's web access connected from a RDS session


I'd like to block the web access of an AD user connected to a RDS session.

I tried with the FSSO feature but it is not working. It works only for users with a PC.


Do you have some tips for that ?

Thanks a lot for your help.

Community Manager
Community Manager


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.

Hi eyildirim,


you should try with the "TSAgent" on the RDS server (directly, not a gateway). It reports RDS users to the Collector Agent with a port range and IP address. Since FSSO comes with user+IP, multiple users with the same IP won't work. The Terminal Server Agent is made for that as it adds a port range to the authenticated user and the users' traffic leaves from that port range towards the FortiGate.

Simple to check if it works - run a packet capture on FortiGate with the IP of the RDS server and see whether the user traffic going to some site comes with the specific port range. The port range can be seen on the Collector Agent or on the FortiGate user list.

On CLI, the easiest is

diag firewall auth list | grep -A7 -i <username>

When you have this working, you should match the user group on AD with a web filter permission.

If a user has a certain group membership they CAN access the resources as the webfilter on the policy allows this (whitelisting).

If the user does not have the AD group membership, the policy cannot be matched and a different webfilter may be matched, blocking the access to, for example gmail.


Best practice is to have specific AD groups that define the FSSO permission sets and make the users member of the respective groups. Set these groups to be monitored in the FSSO Collector/connector.


Best regards,