Roaming clients (multiple redundant gateways)

Roaming clients (multiple redundant gateways)

The following figure illustrates three corporate FortiGate networks. Each FortiGate can reach each other over a WAN network. FortiClient can only reach one FortiGate at a time. FortiClient may connect directly to the FortiGate or through a NAT device.

If FortiClient connects through a NAT device to the FortiGate, do not enforce endpoint control compliance on the FortiGate.

On each of the three FortiGate devices configure the following:

l Interface IP addresses l FortiClient profile l Device identification in the interface l FortiClient profile in the applicable firewall policy l Endpoint control synchronization

Endpoint control synchronization allows you to synchronize endpoint control for multiple FortiGate devices. To enable endpoint control synchronization via the CLI enter the following commands on your FortiGate:

config endpoint-control forticlient-registration-sync edit 1 set peer-ip 172.20.52.19

next edit 2

set peer-ip 172.22.53.29

end end

Roaming clients (multiple redundant gateways)

The IP addresses set for the peer-ip field are the WAN IP addresses for each of the FortiGate devices in the synchronization group.

You need to add the following XML configuration to FortiClient for this synchronization group. Modify the configuration file to add the following:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The IP addresses are the internal IP addresses for each of the three FortiGates in the synchronization group. FortiClient can reach any of these IPs, one at a time.

If the three FortiGate devices share the same DNS name, use the following XML configuration:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Fortinet Americas</name>

<addresses>fct_americas.fortinet.com</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The DNS server should return one reachable FortiGate IP address for the domain name used.

You will need to manually add FortiClient to the synchronization group when FortiClient initially connects with the FortiGate. Once added, no further action is required.

On your FortiGate, use the following CLI command to list all connected FortiClient endpoints:

diagnose endpoint registration list registered-forticlients FortiClient #1 (0):

UID = BE6B76C509DB4CF3A8CB942AED200000

vdom = root status = registered

registering time = Fri May 2 15:00:07 2014 registration expiry time = none source IP = 172.172.172.111 source MAC = b0:ac:6f:70:e0:a0

user = user

host OS = Microsoft Windows 7 , 64-bit

restored registration = no remote registration = yes registration FGT = FGT60C3G11000000 Total number of licences: 10

Total number of granted licenses: 1

Total number of available licences: 9

Roaming clients (multiple redundant gateways)

The remote registration entry indicates whether this specific FortiClient is connected to this FortiGate, or to another FortiGate within the synchronization group.

If any of the FortiGate devices require a password to complete connection, you can use the following XML configuration to provide password information to FortiClient:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses>

<registration_password>uNbre@kab1e</registration_password> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

 

This entry was posted in FortiClient and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.