Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bobo
New Contributor

Problem with VPN and group-based firewall rules

Hello!

 

I have a problem with VPN and group-based firewall rules.

 

I use my workstation A (win10 Pro) to access server B through 2 FG firewalls which are connected via IPsec VPN. Central FG has ipv4 policy "allow users from FSSO group X and SRCIP A to access server B". We have also FSSO Agent installed on DC (WS2012Std) and normally it works wonderfully - when I'm physically behind my workstation A I can access server B without any problems.

 

Now, I'm at home and use SSL VPN to connect to Central FG - OK.

Then I open RDP session from my home PC (win 7) to workstation A (RDP works OK) and try to access server B from that RDP session - can't connect.

 

When I open User & Device -> Monitor -> Firewall on Central FG I see row:

myusername - SSL VPN IP (of my home PC) - Method: Firewall

There are no users listed from my workstation A.

 

When I lock my workstation A in RDP session from home PC and then open the lock screen I see 2 rows in Firewall User Monitor:

myusername (all lowercase) - SSL VPN IP (of my home PC) - Method: Firewall

MYUSERNAME (all uppercase) - workstation A IP - Method: FSSO

And then connection from workstation A to server B starts to work but only for 5 minutes (which is the "workstation verify interval" I have configured in FSSO Agent). After that 5 minutes the second row from Firewall User Monitor disappears too.

When I try to manually check the workstation from FSSO Agent ("Test Workstation" button) then it pauses for about 5 seconds and then displays dialog box "User is no longer logged on". 

When I'm physically behind my workstation and push "Test Workstation" button in FSSO Agent then the test returns "User is still logged on".

 

Any ideas what might be causing this behaviour? I'd like to be able to use all the FW policy rules from RDP session as being physically behind the workstation.

2 REPLIES 2
emnoc
Esteemed Contributor III

You need to run diag debug flow to get diagnostic on why it's not working based on the output you will have a avenue to explore and investigate.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
omega
New Contributor

Isn't there a FSSO Agent for Terminal Servers?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors