Technical Tip: How to remove VPN configurations from FortiClient prior to deregistering the endpoint from FortiClient EMS

Description

This article describes how to remove VPN configurations from FortiClient before deregistering the endpoint from FortiClient Endpoint Management System.

After an endpoint is deleted from FortiClient Endpoint Management System (EMS), the VPN configuration can remain locally available in FortiClient.

Scope

FortiClient, FortiClient EMS.

Solution

FortiClient VPN configurations deployed from FortiClient EMS are removed through profile synchronization.

If the endpoint is deleted from FortiClient EMS before receiving a profile without VPN tunnels, the existing VPN configuration can remain locally in FortiClient.

To remove VPN configurations from FortiClient before deregistering the endpoint from FortiClient EMS:

1. Confirm that the endpoint is still registered and connected to FortiClient EMS.

2. Apply a new profile to the endpoint that does not include the VPN tunnels.

3. Verify that FortiClient receives the updated profile.

4. Confirm that the VPN tunnels are removed from FortiClient.

5. After the VPN tunnels are removed, deregister and delete the endpoint from FortiClient EMS.

When a FortiClient endpoint is deleted from FortiClient EMS before the VPN configuration is removed, the VPN configuration can remain available in FortiClient for up to 30 days, depending on the license and VPN expiry status.

During this period, FortiClient can still establish a VPN connection if the configuration and authentication requirements remain valid.

For additional information, refer to the following FortiClient documentation:

• Free 30-day VPN access

• FortiClient Linux CLI commands