Hello, we have an annoying issue here with user authentication to an IIS server through a Fortigate 240d (FortiOS 5.2.3) cluster.
I have made a policy that allows connection from the internet for the usergroup rds-users
source interface: wan1
source address: all
source users: rds-users
outgoing interface: inside
destination address: vip of iis server (static nat)
service: https
What happens is that, when you connect to this vip address from the internet, you get the Fortinet authentication portal, where you have to enter your (AD) username, password en fortitoken. When succesful authenticated, you can enter the company webportal.
This works great, however.... The next user that originates from the same public ip address, don't have to go through the authentication and is directly redirected to the webportal (!)
I haven't found a workaround for this yet, maybe anyone has an idea how to solve this issue?
Thank you and regards,
Ralph Willemsen
Arnhem, Netherlands
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There is no workaround, the authentication works on an IP base.
There is no workaround, the authentication works on an IP base.
thank you, that is what I was afraid of :(
Regards, Ralph
Ralph1973 wrote:WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?thank you, that is what I was afraid of :(
Go to VPN > SSL > Portals and create a new Web Portal
Uncheck Tunnel Mode and check Enable Web Mode
Under Predefined Bookmarks hit Create New and see if that suits your needs
From your group name I gather you are trying to publish a Remote Web Access site from MS? Give me a status if that works, I think I got the exact same setup but sadly the guy before me let the "IP based auth" stand as it is :\
gschmitt wrote:Ralph1973 wrote:WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?thank you, that is what I was afraid of :(
Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).
I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?
Then we can publish the portal directly from IIS with a fortitoken window.
Thanks,
Ralph
Ralph1973 wrote:Like you I failed with an RDP bookmark (Java) but AFAIK Microsoft Remote Web Access only needs https.gschmitt wrote:Ralph1973 wrote:WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?thank you, that is what I was afraid of :(
Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).
I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?
Then we can publish the portal directly from IIS with a fortitoken window.
Thanks,
Ralph
Have you tried an https Bookmark for the /rdweb/feed/webfeed.aspx site?
gschmitt wrote:Hello, that looks nice as well , thanks! Since it is only to protect the Microsoft server directly from the internet, I think they will think it's acceptable that additional logins from the same (public) ip don't have to authenticate with the Fortigate. The rds server itself also has a portal where you have to authenticate.Ralph1973 wrote:Like you I failed with an RDP bookmark (Java) but AFAIK Microsoft Remote Web Access only needs https.gschmitt wrote:Ralph1973 wrote:WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?thank you, that is what I was afraid of :(
Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).
I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?
Then we can publish the portal directly from IIS with a fortitoken window.
Thanks,
Ralph
Have you tried an https Bookmark for the /rdweb/feed/webfeed.aspx site?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.