Hot!Force User Authentication over Explicit Proxyy

New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/15 13:59:47
  • Status: offline
2018/12/15 14:20:38 (permalink)

Force User Authentication over Explicit Proxyy

Hi all forum gurus
Right now we are moving from our old MS TMG to Fortigate 1000D.
Got a question about Proxy policy
First, have to tell that all users in our organization have have proxy settings enable in their browsers
How to force authenticate a users from a specified IP source.
I've setup some testing rules (attaches picture) but I can't get it work for Terminal Servers IP groups.Seems users not authenticated ...

Attached Image(s)


2 Replies Related Threads

    Expert Member
    • Total Posts : 432
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Force User Authentication over Explicit Proxyy 2018/12/17 00:05:22 (permalink)
    policy like #2 is not gonna get hit as there is any-any-accept .. easier way without authentication.
    So first get rid of any-any-accept stuff .. this is firewall and default rule is deny.
    All you configure are exceptions for those you would like to explicitly allow through under some conditions.
    Then to apply authentication user for example need to come through port which spawns captive portal.
    Or user can be pre-authenticated via FSSO (and for Terminal Servers best equipped with TSAgent), or handle all on session basis via Explicit proxy policies .. 
 and Authentication guide has a lot of tips.
    Specific scenarios are on Cookbooks site.

    Kind Regards,
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/12 06:06:20
    • Status: offline
    Re: Force User Authentication over Explicit Proxyy 2019/01/23 02:22:01 (permalink)
    3 (1)
    You need to play with this ones:
    (my sample configuration)..
    config authentication scheme
        edit "ntlm"
            set method ntlm
        edit "fsso"
            set method fsso
    config authentication rule
        edit "proxytest"
            set srcaddr "all" - here you can define who will be authenticated...but there are more options..
            set active-auth-method "ntlm"
            set sso-auth-method "fsso"
    config authentication setting
        set active-auth-scheme "ntlm"
    Jump to:
    © 2019 APG vNext Commercial Version 5.5