Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ditmar
New Contributor

Citrix web access with fortitoken

Hi all, we are planning to change our 2 factor authentication from R** Token to fortitoken. It is working fine with forticlient, even sending the code via email is perfect. The next step is to get it working with citrix secure gateway. With our actual system we can authenticate with domain user name, domain password and in another line with PIN and tokencode. This is realized with a plugin to the website. How can I get this with our fortigate (200B)? Thank you for your help.
9 REPLIES 9
hpraxedes
New Contributor

Hi, You can' t do this. The Fortigate will not work as a credential server or Radius server. To use fortitokens with other applications you will need to use the FortiAuthenticator, that act as a radius server.
Ditmar
New Contributor

Hi hpraxedes, thank you for your quick reply. Is it possible to connect to f.e. citrix web access without having forticlient installed? I didn' t find any information about this. With our actual solution we can connect from any (public) pc without installing software and we would like to have this possibility with fortitoken, too.
mhe
Contributor II

You can enable Authentication at the firewall policy. So the user first authenticates to the fortigate and only gets to the web server if this is successful. This added a layer of security to the whole infrastructure. martin
Ditmar
New Contributor

but, is this possible without a forticlient ?
hpraxedes
New Contributor

Hi Ditmar, As far as I can understand you scenario. You want to use the Fortitoken on the Citrix authentication is that correct ? If it is, you can' t use WO the fortiauthenticator. But if you want just one more auth layer, you can use the Policy Authentication. The policy auth will display a webpage to the user, once authenticated the policy becomes valid and the access is granted, but the user will need to authenticate on the citrix too. For this scenario you don' t need the forticlient;
Ditmar
New Contributor

My favourite version would be authentication in citrix with fortitoken and windows password like we have it now. But I would also be happy with a webpage for first authentication with fortitoken and then a forwarding to the citrix login page. But how can I setup this? I' m not yet so familiar with fortigate.
hpraxedes
New Contributor

Hi Ditmar, If you are using FortiOS 4.0 the configuration should be like this: WEB GUI: To create a identity-based policy - web-based manager 1 Go to Policy > Policy > Policy and select Create New. 2 Enter the following: 3 Select Enable Identity Based Policy. 4 Firewall authentication is enabled by default. 5 Select Add. 6 From the Available User Groups list, select the Accounting user group and select the right arrow to move it to the Selected User Groups area. 7 From the Available Services list, select the HTTPS and select the right arrow to move it to the Selected Services area. 8 For the Schedule, select Always. 9 Select OK.
mhe
Contributor II

Correct, works great with FortiTokens too!
Ditmar
New Contributor

thank you all for your excellent help, it really works fine in this way.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors