Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
osaris
New Contributor

Identity base rule from wan to lan

Hello,

 

I'm running a FG60E, I'd like my users to login through a "captive portal" before being able to access internal RDP servers by NAT. I can't use a VPN/SSL VPN because my users are connecting from various computers every day and can't install Forticlient on each (they are not admin), and RDP Web isn't acceptable for their job. I'll add 2FA to increase security.

 

I created a rule from WAN to LAN with a VIP for my NAT, it works well. Then I added a user to my rule (so it becomes "Identity based ?"), now I cannot connect to RDP through NAT (make sense) but I cannot login, I don't know where to login ?

 

I have enabled HTTP, HTTPS etc protocols in my authentication settings.

 

Any help appreciated !

 

Regards

2 REPLIES 2
lobstercreed
Valued Contributor

Hi Raphaël,

I'm afraid the answer is that VPN is exactly what you need.  As far as I know (I'd be happy to be proven wrong), there's fundamentally no way to force a user to a "captive portal" from several router hops away.  This can only be done if they are on an internal network to require login before accessing other networks.

I'm afraid you'll have to work with someone who is an admin on their computers to install FortiClient.

- Daniel

osaris

I'm using something similar to what I want to achieve to connect to one of our customer RDP server. I need to login on a captive portal (Zywall USG) then I can make a RDP session through NAT.

 

I understand it's not as secure as a VPN but the portal could store my remote IP, computer name etc and then allow other rules (RDP) based on that.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors