Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vusal_d
New Contributor

Force User Authentication over Explicit Proxyy

Hi all forum gurus

Right now we are moving from our old MS TMG to Fortigate 1000D.

Got a question about Proxy policy

First, have to tell that all users in our organization have have proxy settings enable in their browsers

How to force authenticate a users from a specified IP source.

I've setup some testing rules (attaches picture) but I can't get it work for Terminal Servers IP groups.Seems users not authenticated ...

 

2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hi,

policy like #2 is not gonna get hit as there is any-any-accept .. easier way without authentication.

So first get rid of any-any-accept stuff .. this is firewall and default rule is deny.

All you configure are exceptions for those you would like to explicitly allow through under some conditions.

Then to apply authentication user for example need to come through port which spawns captive portal.

Or user can be pre-authenticated via FSSO (and for Terminal Servers best equipped with TSAgent), or handle all on session basis via Explicit proxy policies .. 

 

Docs.fortinet.com and Authentication guide has a lot of tips.

Specific scenarios are on Cookbooks site.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

baggins
New Contributor III

Hi,

 

You need to play with this ones:

(my sample configuration)..

config authentication scheme     edit "ntlm"         set method ntlm     next     edit "fsso"         set method fsso     next end config authentication rule     edit "proxytest"         set srcaddr "all" - here you can define who will be authenticated...but there are more options..         set active-auth-method "ntlm"         set sso-auth-method "fsso"     next end config authentication setting     set active-auth-scheme "ntlm" end

Labels
Top Kudoed Authors