New Member

Solved

EMS Restriction Implementation

Forum|Forum|8 months ago
August 25, 2025
6 replies
2306 views

Hi,

We have integrated fortigate with forticlient EMS, the remote access profiles and EMS tags are able to push on the forticlient successfully.

We are having a scenario.

In forticlient, after connecting the EMS through its IP, if profile didn't pushed and we manually enter the SSL VPN remote gateway and sends a connection request, it gets connected.

Whereas we want to restrict it such that VPN will only gets connected once its profile will pushed from EMS, if we manually connect the SSL VPN, it should restrict.

We have also implemented a scenario like VPN will only be connected once EMS gets connected, but now we have another challenging scenario which I had mentioned earlier.

I request the seniors to please help out on this.

Thanks

FortiClient EMS

Best answer by muhammadsaad

Team,

The issue has been resolved. Please find the summary below:

When FortiClient connects to the EMS, it automatically receives the default policy. If any profiles are associated with these default policies, they will also be applied, overwriting any manually configured policies. Required tags will be pushed as well. Endpoints that meet the tag requirements will be able to connect successfully.
Once this is in place, we can enforce the restriction that endpoints must be connected to the EMS for services to function properly.

dunalfu2

New Member

When you use the Fabric connector for EMS, it feeds a dynamic address group for your registered / connected clients. Keep in mind that you need to open up your EMS vip, so the client can send telemetry before they get into this address group.

AEK

SuperUser

Hi Muhammad

You can do that by disabling the "Allow Personal VPN" in the profile. Once it is pushed then the user will not be able to create a personal VPN config anymore.

Another method I usually adopt, is to use tags at firewall level in the VPN related policy, so any non-compliant host that can connect will not be able to access any resource.

AEK

muhammadsaadAuthor

New Member

Hi,

Thanks for the reply. How this scenario will be implemented since before pushing the profile from the EMS, the user gets connected when we connect the EMS and configure the VPN manually?

The scenario you are referring to is after the profile gets pushed from EMS towards the forticlient.

Please confirm if we disable the "Allow Personal VPN" in the profile, the what will happen?
(The manually created VPN's will be automatically removed or something else)

AEK

SuperUser

When you create the installer you can push the VPN profile that denies configuring personal VPN. This way the user can't create any VPN from the moment he installs FortiClient, end even before it connects to EMS.

Please confirm if we disable the "Allow Personal VPN" in the profile, the what will happen?

-> I didn't test it but I guess once the profile is pushed the user will not see his personal VPN config anymore (but you can double-check by testing).

AEK

muhammadsaadAuthor

New Member

Alright, thanks for the help and support. Right now we are using EMS version 7.4.1 and there is an installer creation error on this version.
I will cross check that again.

By the way, any other works arounds?

muhammadsaadAuthor

New Member

@AEK ,

By applying the above two suggestions, the issue will still be pending because what we wanted to do is only company based laptops will be able to get logged in.

In current scenario, we have integrated Azure IdP for MFA authentication, if there is any vendor based laptop, it gets also connected through company provided Azure IdP credentials just because the users are authenticated via Azure IdP and their UPN contains that domain which causes the tag to match even though the machine itself is not domain joined and this behavior is expected due to FortiClient interpret the logged in user domain.

What's happening right now is on any other laptop except the company provided, if we download the FortiClient, connect the EMS and manually configure the SSL VPN, we will be able to get connected, whereas we want to restrict it to only company provided laptops.

funkylicious

SuperUser

hi,

if i understand correctly your situation, you say that when a client connects to the IP of EMS, it doesnt get the VPN Connection Profile? have you tried any tshoot/debug on the client? when you created the installer did you assign it the VPN Profile ? is the connection via invite code or anyone that knows the IP/hostname of the EMS can connect ?

also, you want to restrict the creation of manual vpn connection after the client connects to EMS. this can be done by disabling Allow Personal VPN as @AEK described below.

if you want to only allow EMS registered endpoints to connect, then you should have a look at https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/710480/enhancing-vpn-security-using-ems-sn-verification , which requires FortiOS >= 7.4.2

"jack of all trades, master of none"

muhammadsaadAuthor

New Member

- Basically, for vendor we will manually allow them the profile once they connect to the EMS.

- EMS will be connected via IP.

- Moreover, by disabling Allow Personal VPN the manually created profiles are not removed from the forticlient.

Our pain point is the one which I had mentioned earlier.

Thanks

funkylicious

SuperUser

indeed, if a existing VPN Profile is already configured it won't be deleted when disabling Allow Personal VPN, it would just disable the ability of the user to create any other ones after.

"jack of all trades, master of none"

AEK

SuperUser

his should help as well.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Secure-remote-access-configuration-guide/ta-p/190121

What's happening right now is on any other laptop except the company provided, if we download the FortiClient, connect the EMS through its IP and manually configure the SSL VPN, we will be able to get connected

-> Once again this cannot happen if you don't open registration to anyone having FortiClient. You have to register only company provided laptops. So anyone else downloads FCT and tries to connect to EMS will not be able to register, and then when you setup the above tech tip the rogue client will not be able to connect to VPN.

AEK

muhammadsaadAuthor

New Member

We are practicing in this way as you said.

We have a use case that an employee belongs to an IT department and he knows the IP and other details for both EMS and SSL VPN, if he used his personal laptop, download the forticlient then he will be able to get connected.

We just want to restrict this user that he will not be able to use his personal laptop, please suggest how can we restrict the user.

That's my simple point.

AEK

SuperUser

As suggested before, you can still use tags at firewall level in the VPN related policy, so any non-compliant host that can connect to VPN will not be able to access any resource.

AEK

muhammadsaadAuthorAnswer

New Member

Team,

The issue has been resolved. Please find the summary below:

When FortiClient connects to the EMS, it automatically receives the default policy. If any profiles are associated with these default policies, they will also be applied, overwriting any manually configured policies. Required tags will be pushed as well. Endpoints that meet the tag requirements will be able to connect successfully.
Once this is in place, we can enforce the restriction that endpoints must be connected to the EMS for services to function properly.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded