Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexW
New Contributor III

Fortiauthenticator and Windows RDS Gateway

Hi..

 

We want to use our Fortiauthenticator to provide 2FA with a Windows RDS gateway (2012). I cannot find any documentation on this so i was hoping someone else has figured this out..

 

I think i have to use the fortiauthenticator plugin for IIS/OWA, but how can i configure this plugin for the RDS Gateway ?

and is it even posible ?

 

Regards, Alex

 

 

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
15 REPLIES 15
Carl_Windsor_FTNT

The IIS/OWA gateway is for IIS running OWA not IIS or OWA.  I will get the docs updated to make this more explicit.

 

Looking at how the Remote Desktop Gateway functions, I do not believe we have a solution for you today.  Speak to your Fortinet SE if you want to open a feature request.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

AlexW

I have spoken to our SE, and a feature request has been opened.

 

Other options now are some sort of proxy in front of the RD Gateway. This can be the Fortiweb.

 

Thanks Carl

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
vcuramichael

Wouldn't using Microsoft NPS for the RDS gateway, and then forwarding RADIUS auth to the FortiAuthenticator work?

 

I have not set this up yet, but I have been thinking about trying it.

borderland

Duo Security has a great 2 factor solutions that works well with RDS, Citrix and just about any thing else. It is free for up to 10 users and paid is $1user/month

AlexW
New Contributor III

In our environment we used the Fortiweb in front of the RDS Gateway. This takes care of the 2FA.

This works fine. The only problem is the SSO part, i did not found out yet how to push the credentials to the RDP part of the connection. (the connection is devided into 2 parts, first the RDWEB authentication (IIS) and then a RDP, AD authentication.)

 

@vcuramichael, It is also possible to do this with the NPS and forward the radius request to the Fortiauthenticator. This works fine, only as far as i know there is no SSO yet. this because of the RDP authentication is different then the RDWEB authentication part.

 

Another thing to consider is the RDP part, without 2FA you click on the RDP link and the RDP link is downloaded to the client. this RDP link can also be opened directly without going to the RDWEB web page. With 2FA you only authenticate with 2FA against the RDWEB, not the RDP. so when you open the RDP link localy you bypass the 2FA. I have not found a solution for this yet..

 

There is 1 workaround and that is not doing the 2FA against the RDS gateway, but do this in the RDS Servers. So the first authentication is on the website, and when you click the link you are presented by the RDP login where you use the Tokencode to login.

 

 

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
JO_IMPAKT

Hi,

 

We too have a customer asking for this. He doesn't have a fortiweb and it would not be feasible for him to invest into that as well.

 

Any information about other potential workarounds or about the status of this feature request?

 

Jo

benji

alexw,

is your workaround running with doing the 2fa on the rds gateway ?

using fortiweb as reverse proxy for RDWeb an tunneling rdp connection through fortiweb ?

Locian
New Contributor

@AlexW

I have been trying to have NPS forward radius requests to FA and it does, the only issue is the request doesn't have the User-password attribute in it and I always get invalid password. Can you point me to the right direction? How did you get two factor authentication for RDS having NPS forward the authentication to an external radius?

 

Best Regards,

Ahmed

AlexW
New Contributor III

@Ahmed, Did you try to put the tokencode+password in the password field at the logon page ? The NPS webpage does not have a field for the token code. (as i know of)

 

@Benji, we noticed that a setup with the fortiweb was not the best from a user point of view. this because we could not provide sso. What we did eventually was use the RDS WEB for normal user id password authentication, and use the fortiauthenticator agent on the rdp servers for the token authentication.

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
Labels
Top Kudoed Authors