Relatively new to IPsec and Forticlient. My understanding is it’s a bit of a faff to manage them individually and EMS might be the answer. Do people feel it’s worth the additional cost for ease of use plus am I right in thinking EMS is also a necessity for implementing pre login vpn connection on devices?
I would say yes, its worth. Because the time and effort it takes for you to get a hold off all the clients and to configure the vpn is relatively fast earned home with EMS. Also with EMS you can instead use ZTNA, which is way more flexible and secure.
If your clients use SAML-auth then no
Yes and no. Initial deployment of FortiClient VPN is easy with IPSec or SSLVPN connectivity without EMS. The problem down the road will be: upgrades and/or configuration changes. EMS can make the process easier and EMS also offers endpoint visibility that is nice to have if you don’t have other tools to do the same.
I recommend it, but not getting EMS is not necessarily a wrong decision.
EMS is always worth it, imo, because it centralizes configuration. We use FortiClient for ssoma and sslvpn as a fallback, will mess with its ipsec when 7.4 finally supports esp over tcp, until then pre login is a fortigate terminated windows aovpn ikev2 device tunnel, post the user tunnel.
I have 35, very much worth it not just from a management perspective, but also from my tech support team when troubleshooting remote worker issues.
Team: “Are you using a wired connection because this sounds like a bad wifi issue?”
User: “Yes”
Tech: (Looking at the computer in EMS) “Well I can see here your only active interface is wifi. We need you to disable wifi and use a physical cable to connect to your home modem.”
The advanced forticlient licensing for the ransomeware protection also look intriguing to upgrade to at some point.
Would you rather have to manually manage all 30 endpoints individually?
Thanks. Thats pretty much my initial thoughts in regards to ease of use.
I’m relatively new to IPSEC. Can I not do SAML (Entra) with IPSEC? In an ideal world we’d like MFA. Does IPsec not support this or is it a Fortinet thing?
Also just to be sure. Am I right in that pro login connecting to VPV needs EMS or does it just make it easier? Apologies for bombarding you with additional queries but I’m hoping you’ll be able to help fill some holes.
EMS is not an active component in VPN connectivity. It’s only used to configure the FortiClient profiles to deploy on the end systems.
It becomes an active component the moment you start using ZTNA tags.
MFA is working great, I just finished migrating a dial-in IPsec IKEv1 to IKEv2 with RADIUS backend and FTKM.
I’ve read about SAML working as well with IPsec but got no experience yet with this.
It’s not a Fortinet thing, so yes you can use IPsec with SAML-auth.
Pro login ? please elaborate
Sorry didn’t word it right. Auto connecting to the vpn as soon as the device is booted proper to the user logging into the device. Or at least giving the user the ability to from the windows login screen.
You can setup so that the user gets prompted for VPN logon page to enter their credentials and it would be the same credentials that they use to logon to the machine- connecting the user to VPN and logging them in at the same time. You can also setup “Auto connect” meaning the user automatically connects to the VPN after login to windows.
Ah that’ll do. Amazing thank you.