Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RHA2000
New Contributor II

FSSO with Azure VDI

Hello everyone,

I'm trying to set up FSSO on AzureVDI. We have a FortiVM in Azure, a Win2019 DC, currently one VDI Server running Windows 10. I have installed the Collector and DC Agent on the DC and the TSAgent on the VDI Server. The connector on the FortiGate is working and I can select LDAP Users/Groups. My issue is that users connecting on the VDI server are not being pushed to the collector; instead, my logins on Azure seen by the DC Agent and because of that, if an admin logs onto the VDI Server, all other users then have internet access. 

 

Sessions on the TSAgent are being logged and assigned port ranges but they simply don't appear to be visible under "Show Logon Users" on the collector. I've specified the VDI server in the "Citrix/Terminal Server" in the collector and on the TSagent, I don't see any connection failure to the collector.

 

Any help would be greatly appreciated.

 

Kind regards,


Renato

2 Solutions
Debbie_FTNT
Staff
Staff

Hey Renato,

it sounds a bit as if your DC Agent is also observing login events for the terminal server and sharing that with the Collector Agent, perhaps overwriting/replacing the TS Agent logins.

The first thing to do is add the terminal server IP to an ignore list so DC Agent will not forward logins for that IP:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Excluding-IP-addresses-from-FSSO-logon-eve...

Once this is taken care of, only TS Agent should be able to provide login information for the IP in question.

If you still don't see the logins in Collector Agent, check the following:

-> the firewall on the domain controller allows UDP/TCP 8002

-> you DON'T have a preshared key set on the TS Agent (that setting is for TS Agent to FortiAuthenticator connection, and doesn't work with Collector Agent to my knowledge)

-> take a capture on port 8002 between the TS Agent and Collector Agent to see if any traffic is being sent

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

Debbie_FTNT

Hey Renato,

is the ICMP issue with your VDI users?

-> ICMP is a portless protocol (neither TCP nor UDP), meaning that the port ranges assigned by TS Agent don't apply.

-> FortiGate has no way to identify which user is sending ICMP traffic in the case of a terminal server, so that traffic will be treated as unauthenticated

-> I would suggest a policy allowing ICMP and limited to source IP of your terminal server

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

5 REPLIES 5
Debbie_FTNT
Staff
Staff

Hey Renato,

it sounds a bit as if your DC Agent is also observing login events for the terminal server and sharing that with the Collector Agent, perhaps overwriting/replacing the TS Agent logins.

The first thing to do is add the terminal server IP to an ignore list so DC Agent will not forward logins for that IP:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Excluding-IP-addresses-from-FSSO-logon-eve...

Once this is taken care of, only TS Agent should be able to provide login information for the IP in question.

If you still don't see the logins in Collector Agent, check the following:

-> the firewall on the domain controller allows UDP/TCP 8002

-> you DON'T have a preshared key set on the TS Agent (that setting is for TS Agent to FortiAuthenticator connection, and doesn't work with Collector Agent to my knowledge)

-> take a capture on port 8002 between the TS Agent and Collector Agent to see if any traffic is being sent

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
RHA2000
New Contributor II

Hi Debbie!

 

Thank you so much. I only opened TCP 8002, not UDP! I've been pulling out my hair on this!

 

One follow-up question if I may. I have a policy for all users that are allowed internet access using a security group. For anyone that is not in that security group, there is no rule since they aren't allowed internet access. For some reason though, ping does not work even for the users that are allowed internet access. The policy is set to allow all services. Is ICMP carried out by a system user somehow?

 

Any ideas? Thanks again for all the help so far!

 

Kind regards,


Renato

Debbie_FTNT

Hey Renato,

is the ICMP issue with your VDI users?

-> ICMP is a portless protocol (neither TCP nor UDP), meaning that the port ranges assigned by TS Agent don't apply.

-> FortiGate has no way to identify which user is sending ICMP traffic in the case of a terminal server, so that traffic will be treated as unauthenticated

-> I would suggest a policy allowing ICMP and limited to source IP of your terminal server

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
RHA2000
New Contributor II

Again, thank you!

Debbie_FTNT

No problem, happy I was able to help :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors