We currently don’t force VPN and use AVD so many people don’t connect to VPN very much. However, they have to connect to change their AD password and sync it with local PC. Does FortiClient offer an always on VPN where it connects at windows login with windows credentials and internal cert? We do currently use EMS for all our managed endpoints.
I have configured always on VPN using IPSec and certificate based authentication using the machine certificate. VPN starts before login to satisfy password changes. If I revoke the machine certificate or disable the machine account in AD it won’t connect. I use EMS cloud and an on premise detection rule to prevent it from starting while on prem.
EMS offers always on capabilities, yes. It may or may not be buggy however.
Use the built in windows VPN client and do ADVPN back to a fortigate. Stable enough for my 6-10k clients
Our AOVPN takes 6 minutes to log on for some users and I can’t work out why. Does anyone know of any trouble shooting guides or resources that I can access that may help to resolve?? It’s a really head scratcher
In Cisco anyconnect there is built-in management tunnel feature, when user closing a user-tunnel, it will automatically start a management. It is a single stopper that prevents us switching completely to Forticlient.
Is there a step-by step guide on how to set this up?
lol right, 2yrs ago i deployed it, and i wasnt exactly very thrilled.
for some reason i vaguely recall that ipsec based always on was a lot more stable than ssl. but thats a 2yr old memory.
Yea I have tested this. Not the greatest.
How does that work when they come into the office where we have VPN already setup. Does it still follow the trusted location? Also does it have to be IPSEC, or can it be SSLVPN? The reason I ask is we work on a lot of schools, and they tend to block 4500.
Yup. Windows Always On VPN does allow a third party IPSEC VPN concentrator device to be used. Fortinet, etc.
I saw this happening at one location where the primary NPS server the forti was pointing to was wrong and it took a while to try the second one.
Pretty sure it’s ipsec only. It’s all deployed via intune and there is a config in it that disabled it when the device can see the domain