Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arsen
New Contributor

Created on ‎02-08-2017 04:04 AM

Fortigate RDP authentication without FSSO failure.

Hi, We have configured LDAP Server in our Fgate80C and added Firewall User Group with Remote Groups. We have Identity based 2 Security policies allowing this user group to access internet and terminal server by RDP. Internet access policy works well, with authentication page appearing. But TS access policy doesn't work. Firmware version is 5.4.3.  What would you suggest?

Thank You.

Preview file
69 KB
6730
0 Kudos
3 REPLIES 3
xsilver_FTNT
Staff
Staff

Created on ‎02-09-2017 12:49 AM

Hi Arsent,

 

I guess that you are talking about policy seq. #1.

I assume users in LAN authenticate to their workstations. Maybe LDAP is actually AD, isn't it ?

Then user's workstations might be domain members, right ?

If so then what about to make it FSSO and so have user's source IP pre-authenticated in time he is trying to access TS. More over, you can use TSAgent to report to Collector Agent on DC and add those users on TS to FSSO and authenticate their traffic via FSSO as well.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2674
0 Kudos
Arsen
New Contributor
In response to xsilver_FTNT

Created on ‎02-09-2017 08:06 AM

Hi xsilver_FTNT,

 

Thank you for your quick response. 

Yes, I am talking about policy seq #1.

Yes, LDAP actually is AD, and user's workstations are domain members.

With agent-based and polling mode  FSSO  everything is well. But without FSSO Firewall User Group with Remote Group doesn't identify users when they try to access TS by RDP. If users are authenticated  for internet access by policy seq #2, after that they are able to initiate RDP Session.

 

2674
0 Kudos
xsilver_FTNT
Staff
Staff
In response to Arsen

Created on ‎02-10-2017 07:27 AM

Hi,

 

if we summarize, then:

- if user tried Web page, went through HTTP/HTTP, he get authenticated through basic auth popup in web page

- if he is previously authenticated because of web access, then he can reach TS through identity-based policy #2

- if he attempt TS access via RDP first, and so he is unknown to firewall, he fail. How would you like to present user with firewall authentication pop-up (as for HTTP) when he used RDP protocol ?

 

That's why I tried to promote FSSO, because user will be, most probably, known to firewall long before he will try to access resources via protocols like RDP that are not that suited/adopted to additional authentication as HTTP.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

2674
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.