I am looking for a bit of guidance on how to get captive portal access to resources working based on firewall policies on a Fortigate (currently running 7.2.x).  More specifically, I want to restrict management access to devices to authenticated users while allowing full access to the services running on those devices.

For example, if I have users on Vlan 10 and Vlan 20 with Windows servers on Vlan 30 and Linux servers on Vlan 40, I would like to restrict RDP from Vlans 10 and 20 to Vlan 30 to only authenticated users while allow SMB through for everyone.  At the same time I would like to restrict RDP from Vlans 10 and 20 to Vlan 40 to only authenticated users while allowing HTTP and HTTPS through.

Can anyone point me at a complete, end-to-end How-To on how I achieve this, including where the (FQDN) captive portal could/should sit, please?