---

@Sadhi_Jayzsurah yaseen pdf wrote:

Hi All,

 

My Customer recently moved to a FortiGate from a Palo Alto firewall. Customer is using workspace one. It acts like a proxy (tunnels the traffic to the Workspace One server). All customer internet traffic comes to Workspace One server from a DNAT in FortiGate. Then those traffic go out by making the source IP of the workspace one server. I need to implement user based rules for users who are using workspace one when reaching internet. Also user identification need to be SSO. When I enable network detection in interfaces. Some users were detected like in the below image. Customer don't want to go with captive portals. what can I do for this. (For Citrix VDI environment We are using FSSO and TS Agent. it is working fine)

 

---

To implement user-based rules for Workspace ONE proxy users without using captive portals, consider leveraging FortiGate's integration with Workspace ONE for user identification. Since you're already using FSSO and TS Agent in your Citrix VDI environment, you might explore extending this setup to include user identification for Workspace ONE users as well. You can also configure the FortiGate to capture SSO authentication events and map them to user sessions. This way, you can enforce policies based on user identity without requiring a captive portal.