Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexW
New Contributor III

Fortiweb and RDS Gateway

Hi,

 

I'm working on a solution with the Fortiweb and a RDS Gateway and 2FA (fortiauthenticator).

I've got the 2FA part working with the RDS Gateway. Users get a login page and after they are authenticated they are redirected to the RDWEB page. All is fine.

 

Now i got a security issue where users are able to bypass the 2FA.

When you access the RDWEB page and click on a RDP session a RDP link is downloaded to the client. In normal situation this is opened immediately. Now when i log out and click on the RDP link can authenticate directly to the RDS Gateway, and are bypassing the Fortiweb Authentication page and the 2FA. This is always posible, even several days after the last login.

 

I Configured a session cookie timeout, but this does not seem to fix this issue. I think i am missing something like a session timeout or something.

 

FortiWeb-VM 5.50,build0697

 

Any help is appreciated!

 

Regards, Alex

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
6 REPLIES 6
dooasmi
New Contributor

Are you using security groups for 2FA?

AlexW
New Contributor III

With security groups, are you refering to the fortiauthenticator ?

 

The direct opening of the RDP file does not get authenticated against the Fortiauthenticator, but this goes straight to the RDS Gateway, there it is authenticated against AD. (so no 2fa)

 

The Fortiweb is stil in the middle of the connection but does not stop this direct connection..

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
AlexW
New Contributor III

I figured it out, When the RDP link is opened it goes to another folder witch does not have authentication on it so that's why it is passing it. If i put authentication on that folder "RDP over https" is not working anymore.

 

This is because Authentication is not passed from the browser to the RDP application (mstsc) You should see it like you click on a link in chrome and a firefox page is opened. an all new application so an all new authentication process. So an authentication cookie does not work in this situation.

 

Does anyone know if you can authenticate a session regardless of which application makes the initial connection ? so when you open a second browser (this case RDP/mstsc) you do not have to authenticate again ?

 

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
MikePruett
Valued Contributor

I am a little confused on your deployment and layout. I also see that you were able to resolve part of the problem. Can you go into more detail on the part of the issue that still exists?

Mike Pruett Fortinet GURU | Fortinet Training Videos
AlexW
New Contributor III

It's sort of resolved, as i know now what is happening with the application. i can authenticate the second request, but then the application does not work anymore. It is actually as (badly) designed by Microsoft.

 

The setup is as followed;

First the browser is authenticated by fortiweb for the RDWeb (IIS) then a second connection is made via the RDP application (MSTSC) to the RDGateway. The second connection needs to  be authenticated again because it is a new connection coming from a new source application.

 

So now a new question appears, how can i make this work so when the change from the browser to the RDP application is made, the RDP application does not need to be authenticated again ?

 

Regards, Alex

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
CCO
New Contributor

alex Wassink wrote:

I figured it out, When the RDP link is opened it goes to another folder witch does not have authentication on it so that's why it is passing it. If i put authentication on that folder "RDP over https" is not working anymore.

 

This is because Authentication is not passed from the browser to the RDP application (mstsc) You should see it like you click on a link in chrome and a firefox page is opened. an all new application so an all new authentication process. So an authentication cookie does not work in this situation.

 

Does anyone know if you can authenticate a session regardless of which application makes the initial connection ? so when you open a second browser (this case RDP/mstsc) you do not have to authenticate again ?

 

Hello Alex we are dealing with the same problem.

 

Can you give information about the folder for the rdp link where you need to put authentication on to resolve this issue ?

Labels
Top Kudoed Authors