Long story short, we have many users who have the option to work from home by accessing their work desktop PC’s using RDP. Our current solution involves staff going to a website and logging into the system using their credentials/MFA. It then downloads a small tool called MotionPro that needs to be installed locally, but once installed they can sign in and access their desktop via RDP. We have a linux box on site that provides the user authentication and session management.
I am wondering if there is a way that we can use the Fortigate and user credentials to faciliate this kind of connection without the need of the seperate linux box? I know we can to RDP over VPN, but I am assuming that requires staff to have FortiClient installed on their personal home PC and then needing to connect prior to launching a RDP session back to their home PC.
Ideally, we are looking for a solution that does not require a local install for FortiClient. We are OK if they are prompted to download a small utility at first login, but we do not want to require staff need to be connected to FortiClient prior to accessing their remote PC’s. Is it possible to cut off the linux box and set something up like this? Or would it for sure require a local VPN client to be connected prior to using RDP from their home PC?
EDIT: Thank you for the suggestions, all. We were able to successfully test a solution where staff can log into the firewall from outside the network using MFA and then remote into their PC on site using a bookmark on the firewall to that device. The issue we are now running into is that the remote session is confined to a small window within the web browser, but staff would like to utilize both of their monitors in full screen, and not a single smaller display on a single screen. So we’re still exploring solutions to work through this.
You don’t mention your RDP infrastructure but if you’re using a full and proper installation of RD Gateway/services, then you can use a simple DNAT on the firewall to forward RDP traffic to the RD Gateway. This would be significantly better than simply RDP’ing to an internal server however note that the RDP protocol itself is subject to constant attacks, and there are known deficiencies in the protocol which could be exploited.
If you have the required Fortinet infrastructure (FGT/EMS/FCT), then you can use ZTNA - tyhis can make use of SSO auth to facilitate authentication.
You can setup access to RDP via SSL VPN in web only mode, where your staff would go to the browser to your SSL VPN endpoint address, and then if you have published the RDP app from there, they could connect to a resource via RDP.
You could also make users connect via an IPsec connection on their (Windows) devices using the built in feature of the OS.
Don’t have a lot of experience with client-to-site IPsec though so can’t say if it’s easy to service for your clients. SSLVPN web mode does work good though, we use it sometimes when Mac OS devices have trouble using FortiClient
If your system will not allow for as many ssl-vpn web connections as you need, you could use IPSEC VPN (which would allow users to configure windows to connect - avoiding installing anything on their personal device… I don’t know the ability of your users - so this MIGHT not be feasible for your users…), set the rules to allow access from that VPN to the RDP server(s) (denying everything else internal if needed)…
Not sure if MS RDWeb is still something used in production these days but you could publish RDS gateway via a website and all traffic would be wrapped in TLS on port 443
Most deployments I’ve done started with SSL Web mode and then migrated to F5 bigip APM, protected through firewall and IPS policies from the fortigate, when users really started using RDP as a normal remote access way of working.
That way users were only exposed to their RDP session in a controlled manner depending on their IdP attributes e.g. [email protected] RDP acces to usera.internal.domain PC.
Take a look at FortiRDP (https://github.com/jnmeurisse/fortirdp). This is a standalone Windows software without any dependency that creates a SSLVPN tunnel with the FortiGate and the launch the remote desktop client forwarding the RDP protocol through the tunnel. This software has some limitations : does not support IPv6, not compatible with SAML.
I’ve heard rumblings this feature will be killed off. It’s resource intensive (not as bad since they moved from using guac) and is generally not recommended by SE’s in the field.
That requires FortiClient on the devices though, which OP specifically do not want. Also, it’s personal devices and most companies do not want to manage non corporate devices on their EMS.
Not to mention that exposing a whole server via a VIP goes against security best practices. One thing is creating a vip for a specific service such as HTTPS or FTP, and another thing is exposing RDP service where once the connection is successful the attacker may have full access to the system. Just 2 cents