Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ralph1973
Contributor

first user needs to authenticate, subsequent users don't

Hello, we have an annoying issue here with user authentication to an IIS server through a Fortigate 240d (FortiOS 5.2.3) cluster.

I have made a policy that allows connection from the internet for the usergroup rds-users

source interface: wan1

source address: all

source users: rds-users

outgoing interface: inside

destination address: vip of iis server (static nat)

service: https

 

What happens is that, when you connect to this vip address from the internet, you get the Fortinet authentication portal, where you have to enter your (AD) username, password en fortitoken. When succesful authenticated, you can enter the company webportal.

This works great, however.... The next user that originates from the same public ip address, don't have to go through the authentication and is directly redirected to the webportal (!)

 

I haven't found a workaround for this yet, maybe anyone has an idea how to solve this issue?

 

Thank you and regards,

Ralph Willemsen

Arnhem, Netherlands

 

1 Solution
gschmitt
Valued Contributor

There is no workaround, the authentication works on an IP base.

View solution in original post

6 REPLIES 6
gschmitt
Valued Contributor

There is no workaround, the authentication works on an IP base.

Ralph1973

thank you, that is what I was afraid of :(

 

Regards, Ralph

gschmitt
Valued Contributor

Ralph1973 wrote:

thank you, that is what I was afraid of :(

 

WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?

 

Go to VPN > SSL > Portals and create a new Web Portal

Uncheck Tunnel Mode and check Enable Web Mode

Under Predefined Bookmarks hit Create New and see if that suits your needs

 

From your group name I gather you are trying to publish a Remote Web Access site from MS? Give me a status if that works, I think I got the exact same setup but sadly the guy before me let the "IP based auth" stand as it is :\

Ralph1973

gschmitt wrote:

Ralph1973 wrote:

thank you, that is what I was afraid of :(

 

WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?

 

Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).

I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?

Then we can publish the portal directly from IIS with a fortitoken window.

Thanks,

Ralph

gschmitt
Valued Contributor

Ralph1973 wrote:

gschmitt wrote:

Ralph1973 wrote:

thank you, that is what I was afraid of :(

 

WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?

 

Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).

I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?

Then we can publish the portal directly from IIS with a fortitoken window.

Thanks,

Ralph

Like you I failed with an RDP bookmark (Java) but AFAIK Microsoft Remote Web Access only needs https.

Have you tried an https Bookmark for the /rdweb/feed/webfeed.aspx site?

Ralph1973

gschmitt wrote:

Ralph1973 wrote:

gschmitt wrote:

Ralph1973 wrote:

thank you, that is what I was afraid of :(

 

WELL you could try to do it as a web sslvpn portal, I don't have access to my test device right now but last I checked the sslwebportal had bookmarks for web pages?

 

Hello, I have thought about using web based vpn, and tested this earlier with access to rdp server,but this is too cumbersome, since this doesn't work smoothly (Java issues, disconnecting session when user hits Enter).

I will look further, maybe you know whether it is possible to use fortitoken as a plugin for Windows 2012 server R2?

Then we can publish the portal directly from IIS with a fortitoken window.

Thanks,

Ralph

Like you I failed with an RDP bookmark (Java) but AFAIK Microsoft Remote Web Access only needs https.

Have you tried an https Bookmark for the /rdweb/feed/webfeed.aspx site?

Hello, that looks nice as well , thanks! Since it is only to protect the Microsoft server directly from the internet, I think they will think it's acceptable that additional logins from the same (public) ip don't have to authenticate with the Fortigate. The rds server itself also has a portal where you have to authenticate.

Labels
Top Kudoed Authors