Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brent-ITSolutions
New Contributor

Virtual Server with Exchange OnPrem with ADFS.

Hi, I've been struggling with this one for a couple of weeks now and haven't found a solution.

 

In my lab environment with a single IP address available I was running a 600c perfectly well, but I decided to change to a 200e (v7.6.0 build3401) for the additional functionality.

 

Internally I am running an On-Premise Exchange Server, an ADFS Server for webmail authentication, along with an unrelated website all on separate servers.  I use virtual servers (HTPS) to connect to the appropriate real server based on the host header. e.g. (not real IP addresses)

 

mail.myname.com (100.100.100.1:443) -> Server 1 (192.168.0.1:443)

adfs.myname.com (100.100.100.1:443) -> Server 2 (192.168.0.2:443)

website.myname.com (100.100.100.1:443) -> Server 3 (192.168.0.3:443)

 

  • Browsing to the Web Server works perfectly.
  • Browsing directly to the ADFS authentication page (passing appropriate parameters) works perfectly.  Including redirecting back to the mail server after authentication.
  • Browsing to the webmail server leaves the browsing spinning (it doesn't timeout) and doesn't redirect to the ADFS authentication page.
    • Connecting internally (not through the fortigate) works perfectly
    • Sometimes it will quickly redirect to ADFS server and everything is happy.  This usually happens for the first 5 minutes after making any sort of change to the virtual server (e.g. adding another Real Server) then it goes back to the same behaviour.
    • Sometimes leaving the web page loading it will eventually load the adfs authentication page.

Does anyone have any insight as to why this was working on the 600c with the same configuration and I cannot get it to work on the 200e?

 

Thanks

 

3 REPLIES 3
Stephen_G
Moderator
Moderator

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

According to the people I've talked to, it's hard to tell what the issue is without logs from the client browser or packet traces from FortiGate. However, the issue seems to be related to how the redirection is performed from the mail server to ADFS for the auth piece.

 

It's possible that the url/fqdn/ip that is called from the exchange does not match what is expected to match the VIP.

 

It's also possible there's a conflicting UTM feature enabled, or some sort of issue in 7.6.0.

 

We strongly recommend you get in touch with TAC and provide a browser debug output (.har file) to help see what is being requested in the transaction. (Please do not post those logs here, as there could be sensitive data within.)

Stephen - Fortinet Community Team
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors