There are a lot of folks out there spending a lot of money on SSL VPN solutions when they have the feature built into the FortiGate already. Watch this video discussing this.
Stop Using 3rd Party VPN Clients
Leave a reply
Category Archives: FortiClient
FortiClient EMS – Enterprise Management Server
FortiClient EMS – Enterprise Management Server
FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It provides visibility across the network to securely share information and assign security profiles to endpoints. It is designed to maximize operational efficiency and includes automated capabilities for device management and troubleshooting.
FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints. Benefits of deploying FortiClient EMS include:
| Communication | Service | Protocol | Port |
| FortiClient endpoint registration | File transfers | TCP | 8013 (default) |
| Computer browser service | Enabled | ||
| Samba (SMB) service
l During FortiClient deployment, endpoints may connect to the FortiClient EMS server using the SMB service. |
Enabled | 445 | |
| Distributed Computing Environment / Remote Procedure Calls (DCE- RPC)
l The FortiClient EMS server connects to the endpoints using RPC for FortiClient deployment. |
Enabled | 135 | |
| Active Directory server connection | When used as
a default connection |
389 | |
| Windows | HTTP | TCP | 80 |
- Remotely deploying FortiClient software to Windows PCs.
- Updating profiles for endpoint users regardless of access location, such as administering antivirus, web filtering, VPN, and signature updates.
- Administering FortiClient endpoint registrations, such as accepting, deregistering, and blocking registrations. l Managing endpoints, such as status, system, and signature information. l Identifying outdated versions of FortiClient software.
Required services
You must ensure that required ports and services are enabled for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with clients and servers running associated applications.
FortiClient EMS – Enterprise Management Server
| Communication | Service | Protocol | Port |
| Internet Information Services (IIS) | HTTPS | TCP | 443, 10443 |
| SQL server |
For more infomation about FortiClient EMS, including other requirements, installation, and management, see the FortiClient EMS – Administration Guide.
FortiClient Open Ports Diagram
FortiClient Open Ports Diagram
FortiClient WAN optimization over IPsec VPN configuration example
FortiClient WAN optimization over IPsec VPN configuration example
This example shows how to add WAN optimization to a FortiClient IPsec VPN. The IPsec VPN tunnel allows remote FortiClient users to connect to the internal network behind the FortiGate unit.
Example FortiClient WAN optimization configuration
To configure the FortiGate unit
Because computers running FortiClient can have IP addresses that change often, it is usually not practical to add FortiClient peers to the FortiGate WAN optimization peer list. Instead, a FortiGate unit that accepts WAN optimization tunnel requests from FortiClient is usually configured to accept any peer. This example does this by adding a WAN optimization authentication group with Peer acceptance set to Accept Any Peer.
In addition this example includes a wanopt to internal policy to allow WAN optimization traffic reach the internal network. Finally passive WAN optimization is added to the ssl.root policy because WAN optimization is accepting traffic from the IPsec VPN tunnel.
1. Go to WAN Opt. & Cache > Authentication Groups and select Create New.
2. Configure the WAN optimization authentication group:
Name auth-fc
Authentication Method Certificate
Certificate Fortinet_Firmware
Peer Acceptance Accept Any Peer
3. Select OK.
4. Go to WAN Opt. & Cache > Profiles and select Create New (select the + button).
5. Add a profile for FortiClient WAN optimization sessions:
Name Fclient_Pro
Transparent Mode Select
Authentication Group auth-fc
Category Address
Address Name Internal-Server-Net
Type IP Range
Subnet / IP Range 192.168.10.0/24
Interface internal
9. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections.
configure firewall explicit-proxy-policy edit 0
set proxy wanopt
set dstintf internal set srcaddr all
set dstaddr all set action accept set schedule always set service ALL
next end
To set up IPsec VPN to support WAN optimization
1. Go to VPN > IPsec Wizard, enter a Name for the IPsec VPN and select Dialup – FortiClient (Windows, Mac OS, Android).
2. Follow the wizard steps to configure the VPN. No special WAN optimization settings are required.
3. Go to Policy & Objects > IPv4 Policy and edit the policy created by the wizard.
This policy has the IPsec VPN interface created by the wizard as the source interface.
4. Turn on WAN Optimization and configure the following settings:
Enable WAN Optimization passive
Passive Option default
5. Select OK.
To configure FortiClient and start the WAN optimization SSL VPN connection
1. Open FortiClient, configure Advanced settings, and select Enable WAN optimization.
2. Add a new IPsec VPN connection.
Set the Server to the WAN1 IP address of the FortiGate unit (172.20.120.30 in this example).
No other settings are required for this example. You can add authentication in the form of a user name and password if required by the FortiGate unit.
3. Start the IPsec VPN tunnel.
You should be connected to the IPsec VPN tunnel and traffic in it should be optimized.
FortiClient WAN optimization
FortiClient WAN optimization
FortiClient WAN optimization supports protocol optimization and byte caching in IPsec VPN and SSL VPN tunnels between FortiClient and a FortiGate unit. To add WAN optimization to FortiClient, configure FortiClient Advanced settings and enable WAN optimization. This setting can then apply WAN optimization to any IPsec or SSL VPN tunnel between FortiClient and FortiGate, if the FortiGate IPsec or SSL VPN configuration also includes WAN optimization.
When FortiClient with WAN optimization enabled attempts to connect a server-side FortiGate unit, FortiClient automatically detects if WAN optimization has been added to the FortiGate tunnel configuration. If WAN optimization is detected and FortiClient can successfully negotiate with the FortiGate unit, WAN optimization starts.
FortiClient WAN optimization topology
FortiClient WAN optimization
FortiClient WAN optimization
PCs running the FortiClient application are client-side peers that initiate WAN optimization tunnels with server- side peer FortiGate units. However, you can have an ever-changing number of FortiClient peers with IP addresses that also change regularly. To avoid maintaining a list of such peers, you can instead configure WAN optimization to accept any peer and use authentication to identify FortiClient peers.
Together, the WAN optimization peers apply the WAN optimization features to optimize the traffic flow over the WAN between the clients and servers. WAN optimization reduces bandwidth requirements, increases throughput, reduces latency, offloads SSL encryption/decryption and improves privacy for traffic on the WAN.
For more details, see FortiClient WAN optimization on page 2904.
Linux FortiClient Download
Just a heads up, a lot of people only deal with one specific operating system in their environments (Fortinet dumps a lot of their investment into the development of Windows applications because of the market share). Just in case you haven’t found it, Fortinet provides downloads to the Mac OS and Linux OS FortiClient applications in the firmware download locations of their support site. (VPN folder within the selected firmware folder).
Hopefully, this helps some of you out if you are in need!
FortiClient Issues With Mac OS Sierra
A client of mine stumbled across this issue and after some digging it appears to be fairly common. In my experience, FortiClient tends to have more issues with Mac OS in general. For this particular problem though I have had success by rolling back the FortiClient. Downloading the latest from FortiClient tends to be the spot where most people run into issue. Not sure what it is about the older versions that work versus the new one but it is an obvious bug.
If you are sitting around waiting for it to be resolved I wouldn’t get your hopes up. Fortinet tends to be a little slower resolving MAC related issues with the FortiClient software when compared to Windows etc…..guess we can chalk that up to market share.
Anyways, roll back your client to an earlier version and see if that resolves the issue for you. I would give you a specific version to roll to but it seems to vary from environment to environment.
Thing To Remember: Sierra is brand new, so the issues, obviously, may not be on the FortiClient side (at least not completely).