Hello everyone,
I'm trying to set up FSSO on AzureVDI. We have a FortiVM in Azure, a Win2019 DC, currently one VDI Server running Windows 10. I have installed the Collector and DC Agent on the DC and the TSAgent on the VDI Server. The connector on the FortiGate is working and I can select LDAP Users/Groups. My issue is that users connecting on the VDI server are not being pushed to the collector; instead, my logins on Azure seen by the DC Agent and because of that, if an admin logs onto the VDI Server, all other users then have internet access.
Sessions on the TSAgent are being logged and assigned port ranges but they simply don't appear to be visible under "Show Logon Users" on the collector. I've specified the VDI server in the "Citrix/Terminal Server" in the collector and on the TSagent, I don't see any connection failure to the collector.
Any help would be greatly appreciated.
Kind regards,
Renato
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Renato,
it sounds a bit as if your DC Agent is also observing login events for the terminal server and sharing that with the Collector Agent, perhaps overwriting/replacing the TS Agent logins.
The first thing to do is add the terminal server IP to an ignore list so DC Agent will not forward logins for that IP:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Excluding-IP-addresses-from-FSSO-logon-eve...
Once this is taken care of, only TS Agent should be able to provide login information for the IP in question.
If you still don't see the logins in Collector Agent, check the following:
-> the firewall on the domain controller allows UDP/TCP 8002
-> you DON'T have a preshared key set on the TS Agent (that setting is for TS Agent to FortiAuthenticator connection, and doesn't work with Collector Agent to my knowledge)
-> take a capture on port 8002 between the TS Agent and Collector Agent to see if any traffic is being sent
Hey Renato,
is the ICMP issue with your VDI users?
-> ICMP is a portless protocol (neither TCP nor UDP), meaning that the port ranges assigned by TS Agent don't apply.
-> FortiGate has no way to identify which user is sending ICMP traffic in the case of a terminal server, so that traffic will be treated as unauthenticated
-> I would suggest a policy allowing ICMP and limited to source IP of your terminal server
Hey Renato,
it sounds a bit as if your DC Agent is also observing login events for the terminal server and sharing that with the Collector Agent, perhaps overwriting/replacing the TS Agent logins.
The first thing to do is add the terminal server IP to an ignore list so DC Agent will not forward logins for that IP:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Excluding-IP-addresses-from-FSSO-logon-eve...
Once this is taken care of, only TS Agent should be able to provide login information for the IP in question.
If you still don't see the logins in Collector Agent, check the following:
-> the firewall on the domain controller allows UDP/TCP 8002
-> you DON'T have a preshared key set on the TS Agent (that setting is for TS Agent to FortiAuthenticator connection, and doesn't work with Collector Agent to my knowledge)
-> take a capture on port 8002 between the TS Agent and Collector Agent to see if any traffic is being sent
Hi Debbie!
Thank you so much. I only opened TCP 8002, not UDP! I've been pulling out my hair on this!
One follow-up question if I may. I have a policy for all users that are allowed internet access using a security group. For anyone that is not in that security group, there is no rule since they aren't allowed internet access. For some reason though, ping does not work even for the users that are allowed internet access. The policy is set to allow all services. Is ICMP carried out by a system user somehow?
Any ideas? Thanks again for all the help so far!
Kind regards,
Renato
Hey Renato,
is the ICMP issue with your VDI users?
-> ICMP is a portless protocol (neither TCP nor UDP), meaning that the port ranges assigned by TS Agent don't apply.
-> FortiGate has no way to identify which user is sending ICMP traffic in the case of a terminal server, so that traffic will be treated as unauthenticated
-> I would suggest a policy allowing ICMP and limited to source IP of your terminal server
Again, thank you!
No problem, happy I was able to help :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.