Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arsen
New Contributor

Fortigate RDP authentication without FSSO failure.

Hi, We have configured LDAP Server in our Fgate80C and added Firewall User Group with Remote Groups. We have Identity based 2 Security policies allowing this user group to access internet and terminal server by RDP. Internet access policy works well, with authentication page appearing. But TS access policy doesn't work. Firmware version is 5.4.3.  What would you suggest?

Thank You.

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi Arsent,

 

I guess that you are talking about policy seq. #1.

I assume users in LAN authenticate to their workstations. Maybe LDAP is actually AD, isn't it ?

Then user's workstations might be domain members, right ?

If so then what about to make it FSSO and so have user's source IP pre-authenticated in time he is trying to access TS. More over, you can use TSAgent to report to Collector Agent on DC and add those users on TS to FSSO and authenticate their traffic via FSSO as well.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Arsen

Hi xsilver_FTNT,

 

Thank you for your quick response. 

Yes, I am talking about policy seq #1.

Yes, LDAP actually is AD, and user's workstations are domain members.

With agent-based and polling mode  FSSO  everything is well. But without FSSO Firewall User Group with Remote Group doesn't identify users when they try to access TS by RDP. If users are authenticated  for internet access by policy seq #2, after that they are able to initiate RDP Session.

 

xsilver_FTNT

Hi,

 

if we summarize, then:

- if user tried Web page, went through HTTP/HTTP, he get authenticated through basic auth popup in web page

- if he is previously authenticated because of web access, then he can reach TS through identity-based policy #2

- if he attempt TS access via RDP first, and so he is unknown to firewall, he fail. How would you like to present user with firewall authentication pop-up (as for HTTP) when he used RDP protocol ?

 

That's why I tried to promote FSSO, because user will be, most probably, known to firewall long before he will try to access resources via protocols like RDP that are not that suited/adopted to additional authentication as HTTP.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors