Hello!
I have a problem with VPN and group-based firewall rules.
I use my workstation A (win10 Pro) to access server B through 2 FG firewalls which are connected via IPsec VPN. Central FG has ipv4 policy "allow users from FSSO group X and SRCIP A to access server B". We have also FSSO Agent installed on DC (WS2012Std) and normally it works wonderfully - when I'm physically behind my workstation A I can access server B without any problems.
Now, I'm at home and use SSL VPN to connect to Central FG - OK.
Then I open RDP session from my home PC (win 7) to workstation A (RDP works OK) and try to access server B from that RDP session - can't connect.
When I open User & Device -> Monitor -> Firewall on Central FG I see row:
myusername - SSL VPN IP (of my home PC) - Method: Firewall
There are no users listed from my workstation A.
When I lock my workstation A in RDP session from home PC and then open the lock screen I see 2 rows in Firewall User Monitor:
myusername (all lowercase) - SSL VPN IP (of my home PC) - Method: Firewall
MYUSERNAME (all uppercase) - workstation A IP - Method: FSSO
And then connection from workstation A to server B starts to work but only for 5 minutes (which is the "workstation verify interval" I have configured in FSSO Agent). After that 5 minutes the second row from Firewall User Monitor disappears too.
When I try to manually check the workstation from FSSO Agent ("Test Workstation" button) then it pauses for about 5 seconds and then displays dialog box "User is no longer logged on".
When I'm physically behind my workstation and push "Test Workstation" button in FSSO Agent then the test returns "User is still logged on".
Any ideas what might be causing this behaviour? I'd like to be able to use all the FW policy rules from RDP session as being physically behind the workstation.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to run diag debug flow to get diagnostic on why it's not working based on the output you will have a avenue to explore and investigate.
PCNSE
NSE
StrongSwan
Isn't there a FSSO Agent for Terminal Servers?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.