Hot!Fortiauthenticator and Windows RDS Gateway

Author
AlexW
New Member
  • Total Posts : 19
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/11/15 08:25:48
  • Location: Netherlands
  • Status: offline
2015/10/19 07:56:42 (permalink)
0

Fortiauthenticator and Windows RDS Gateway

Hi..
 
We want to use our Fortiauthenticator to provide 2FA with a Windows RDS gateway (2012). I cannot find any documentation on this so i was hoping someone else has figured this out..
 
I think i have to use the fortiauthenticator plugin for IIS/OWA, but how can i configure this plugin for the RDS Gateway ?
and is it even posible ?
 
Regards, Alex
 
 
#1

14 Replies Related Threads

    Carl Windsor_FTNT
    Fortinet
    • Total Posts : 249
    • Scores: 42
    • Reward points: 0
    • Joined: 2012/05/02 03:09:16
    • Location: United Kingdom
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2015/10/19 08:29:00 (permalink)
    0
    The IIS/OWA gateway is for IIS running OWA not IIS or OWA.  I will get the docs updated to make this more explicit.
     
    Looking at how the Remote Desktop Gateway functions, I do not believe we have a solution for you today.  Speak to your Fortinet SE if you want to open a feature request.
    post edited by Carl Windsor_FTNT - 2015/10/19 08:30:20

    Dr. Carl Windsor
    Field Chief Technology Officer
    Fortinet
    #2
    AlexW
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/11/15 08:25:48
    • Location: Netherlands
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2015/11/18 02:50:01 (permalink)
    0
    I have spoken to our SE, and a feature request has been opened.
     
    Other options now are some sort of proxy in front of the RD Gateway. This can be the Fortiweb.
     
    Thanks Carl
    #3
    pbeall
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/18 02:26:49
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/03/31 09:03:32 (permalink)
    0
    I am also looking for this solution. However as usual it is very hard to find anyone else that has set it up!
    #4
    vcuramichael
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/05/10 09:45:51
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/04/06 12:34:04 (permalink)
    0
    Wouldn't using Microsoft NPS for the RDS gateway, and then forwarding RADIUS auth to the FortiAuthenticator work?
     
    I have not set this up yet, but I have been thinking about trying it.
    #5
    borderland
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/12/11 08:21:53
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/04/06 22:53:34 (permalink)
    0
    Duo Security has a great 2 factor solutions that works well with RDS, Citrix and just about any thing else. It is free for up to 10 users and paid is $1user/month
    #6
    AlexW
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/11/15 08:25:48
    • Location: Netherlands
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/04/07 01:10:03 (permalink)
    0
    In our environment we used the Fortiweb in front of the RDS Gateway. This takes care of the 2FA.
    This works fine. The only problem is the SSO part, i did not found out yet how to push the credentials to the RDP part of the connection. (the connection is devided into 2 parts, first the RDWEB authentication (IIS) and then a RDP, AD authentication.)
     
    @vcuramichael, It is also possible to do this with the NPS and forward the radius request to the Fortiauthenticator. This works fine, only as far as i know there is no SSO yet. this because of the RDP authentication is different then the RDWEB authentication part.
     
    Another thing to consider is the RDP part, without 2FA you click on the RDP link and the RDP link is downloaded to the client. this RDP link can also be opened directly without going to the RDWEB web page. With 2FA you only authenticate with 2FA against the RDWEB, not the RDP. so when you open the RDP link localy you bypass the 2FA. I have not found a solution for this yet..
     
    There is 1 workaround and that is not doing the 2FA against the RDS gateway, but do this in the RDS Servers. So the first authentication is on the website, and when you click the link you are presented by the RDP login where you use the Tokencode to login.
     
     
    #7
    JO_IMPAKT
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/30 00:55:08
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/05/19 03:02:32 (permalink)
    0
    Hi,
     
    We too have a customer asking for this. He doesn't have a fortiweb and it would not be feasible for him to invest into that as well.
     
    Any information about other potential workarounds or about the status of this feature request?
     
    Jo
    #8
    benji
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/06/24 02:46:42
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/07/01 07:04:48 (permalink)
    0
    alexw,
    is your workaround running with doing the 2fa on the rds gateway ?
    using fortiweb as reverse proxy for RDWeb an tunneling rdp connection through fortiweb ?
    #9
    Locian
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/27 16:52:24
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/11/23 20:14:36 (permalink)
    0
    @AlexW
    I have been trying to have NPS forward radius requests to FA and it does, the only issue is the request doesn't have the User-password attribute in it and I always get invalid password. Can you point me to the right direction? How did you get two factor authentication for RDS having NPS forward the authentication to an external radius?
     
    Best Regards,
    Ahmed
    #10
    AlexW
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/11/15 08:25:48
    • Location: Netherlands
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/11/25 00:27:46 (permalink)
    0
    @Ahmed, Did you try to put the tokencode+password in the password field at the logon page ? The NPS webpage does not have a field for the token code. (as i know of)
     
    @Benji, we noticed that a setup with the fortiweb was not the best from a user point of view. this because we could not provide sso. What we did eventually was use the RDS WEB for normal user id password authentication, and use the fortiauthenticator agent on the rdp servers for the token authentication.
    #11
    Locian
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/27 16:52:24
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2016/11/25 02:55:52 (permalink)
    0
    @AlexW
    Just to make sure we are on the same ground I will describe the setup I have now. We have RD web access that leads to RD gateway. The user is authenticated using windows credentials on the RD web access login page ( I couldn't find a way to change this to NPS), after authentication the user is presented by the RD applications and once the user clicks on any of the applications (for example calc) an authentication window pop up which as per the configuration I have on the NPS is forwarded to the Fortiauthenticator.
     
    After following debug on Fortiauthenticator I found that the authentication request doesn't have "User-Password" field and Fortiauthenticator rejects the request because of this.
     
    You have mentioned in your message to Benji that you have installed Fortiauthenticator agent on RDP servers to enable token authentication, can you elaborate more on this? Do you think this can apply to my setup also?
     
    Best Regards,
    Ahmed
    #12
    Huey
    Bronze Member
    • Total Posts : 28
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/18 07:17:09
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2017/03/29 18:05:08 (permalink)
    0
    Locian
    @AlexW
    Just to make sure we are on the same ground I will describe the setup I have now. We have RD web access that leads to RD gateway. The user is authenticated using windows credentials on the RD web access login page ( I couldn't find a way to change this to NPS), after authentication the user is presented by the RD applications and once the user clicks on any of the applications (for example calc) an authentication window pop up which as per the configuration I have on the NPS is forwarded to the Fortiauthenticator.
     
    After following debug on Fortiauthenticator I found that the authentication request doesn't have "User-Password" field and Fortiauthenticator rejects the request because of this.
     
    You have mentioned in your message to Benji that you have installed Fortiauthenticator agent on RDP servers to enable token authentication, can you elaborate more on this? Do you think this can apply to my setup also?
     
    Best Regards,
    Ahmed




    Did you ever get this working?  I have exactly the same problem where the password is missing (according to the debug)
    #13
    Locian
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/27 16:52:24
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2017/03/29 18:35:51 (permalink)
    0
    Unfortunately no, after investigating this with Fortinet the final replay was that this is not supported now.
    #14
    jeff.painter@osisonline.net
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/13 08:43:58
    • Status: offline
    Re: Fortiauthenticator and Windows RDS Gateway 2019/10/03 15:41:51 (permalink)
    0
    We are looking at the same thing. Were you able to do this without VPN or some type of proxy for the Auth?
     
    Thanks-Jeff
    #15
    Jump to:
    © 2019 APG vNext Commercial Version 5.5