Skip to main content
melkool
melkool
New Member
November 15, 2024
Question

FortiEMS and AutoConnect/AlwaysUP

  • November 15, 2024
  • 8 replies
  • 7630 views

Hi Team,

So I have a case with TAC that is hitting the wall in the last 2 weeks.  I have a client with 800 users , Fortigate and FortiEMS.

The main reason that he purchased FortiEMS is to have the users always connected and to be able to control which user can disconnect or not).

The problem is that even everything looks just fine, has the proper configuration from all the possible documentations,  the auto-connect is not working! Not to speak about "user

 

EMS:

<options>
<allow_personal_vpns>0</allow_personal_vpns>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<keep_running_max_tries>0</keep_running_max_tries>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<disable_connect_disconnect>1</disable_connect_disconnect>
<secure_remote_access>1</secure_remote_access>
<show_vpn_before_logon>0</show_vpn_before_logon>
<show_negotiation_wnd>1</show_negotiation_wnd>
<on_os_start_connect/>
<autoconnect_on_install>1</autoconnect_on_install>
<suppress_vpn_notification>0</suppress_vpn_notification>
<use_windows_credentials>1</use_windows_credentials>
<minimize_window_on_connect>0</minimize_window_on_connect>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<after_logon_saml_auth>0</after_logon_saml_auth>
<current_connection_name>vpn.gw</current_connection_name>
<current_connection_type>ipsec</current_connection_type>
<autoconnect_tunnel>vpn.gw</autoconnect_tunnel>

 

Fortigate:

config vpn ipsec phase1-interface
    edit "VPN"

        set xauthtype auto
        set save-password enable
        set client-auto-negotiate enable
        set dpd-retryinterval 60

    next

 

Nothing works!

Client is pushed with SCCM,  after installation it connects to EMS , policy is fetched, Remote Access tab appears but user has to enter username and password :)  After that, if the network card is disconnected and EMS goes down, upon restoration  EMS connects back, fetches the policy but again  Remote Access  requires password to connect.

 

To be honest I'm out of any ideas. Any help will be really appreciated.

 

 

8 replies

maulishshah
Staff
maulishshah
Staff
November 15, 2024

Hi @melkool ,

 

Can you please make the following change, 

 

under the XML config for the SSL VPN tunnel, try to find a tag called <keep_running> and change the value from 0 to 1.

 

Let us know if that fixes the issue for you. 

 

Thank you. 

melkool
melkoolAuthor
New Member
November 15, 2024

Hi Maulish

Client is using IPSec VPN as you can see in config vpn ipsec phase1-interface :)

MZBZ
Staff
MZBZ
Staff
November 16, 2024

The feature you need is "Always up" or "Keep alive". As per documentation:

 

Always Up (Keep Alive)

When selected, the VPN connection is always up. If the connection fails, possibly due to network errors, FortiClient attempts to reconnect. If credentials (username and password) are saved, FortiClient attempts to reconnect silently. If credentials are insufficient (for instance, multifactor authentication is required or password is not saved), FortiClient prompts for credentials.

Enabling always up enables Save Password.

 

If you are using SAML for authentication, this is achieved by "Persistent cookies" from idP. 

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the IdP, discussed as follows:

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

Please refer to the following docs for configuration guidance.

 

FortiMax_it
FortiMax_it
Explorer III
November 16, 2024

Hi, after many tests I used this configuration to start an IPSEC VPN at PC startup without user interaction. See if it is your case:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Automatic-FortiClient-VPN-connection-on-the-PC/ta-p/268496

melkool
melkoolAuthor
New Member
November 16, 2024

Hi FortiMax_it.

As the "XML" is not documented I have no idea if <machine> and <keep running>  are usable in 7.4.0. Also <on_os_start> this syntax is completely missing from my 7.4.0 XML. Not sure if this was used in early versions but to be honest I am kind of afraid to test it and FUBAR ~540 users if something goes wrong.

I'll clone the profile and have a try on my VM.

 

Thank for info, it's the most good information until know :) even after 3h with TAC

MZBZ
Staff
MZBZ
Staff
November 17, 2024

FortiClient EMS XML reference guide is available at https://docs.fortinet.com/document/forticlient/7.4.1/xml-reference-guide/387580/introduction

melkool
melkoolAuthor
New Member
November 19, 2024

Thanks for the info. I've managed to make it work (somehow).

Right now I have another issue. I was instructed by TAC to disable "on/off fabric" profiles  in order to , quote "not to disturb EMS client".

So before I was using OnFabric with profile X   and Off-Fabric with a default profile just for the "Remote Access" tab to be inactive.

Right now I have the same profile for both On and Off-Fabric, I have set  <connect_only_when_offnet>1 .  Detection works! But client connects to the VPN as it has the "always on", connect on start, etc etc

Am I asking to much from this platform ? I mean it's something very simple that worked in the past with another vendor:

 

- 800 users

- 2 policies (no permission to disable VPN;   permission to disable VPN)

- always on / permanent VPN when not in network (100% full route back to gateway)

- When "On-Fabric" detection by the public IP (which works great)  do not connect.  Or if "connected"  terminate the connection.

 

I mean I can block it from the firewall but since this a EMS there should be something there that I couldn't find. 

 

So to be honest my idea is to switch back to On-Fabric Profile but then I will have issues when Off-Fabric as the client will try 3 times to connect and then it will stop (at least this is what TAC told me)

MZBZ
Staff
MZBZ
Staff
November 19, 2024

You can have multiple tunnels in a Remote Access profile.

- Each tunnel has a separate "<keep_running>" tag.

- The Remote Access profile has just one "<autoconnect_tunnel>" tag.

- The Remote Access profile has just one "<autoconnect_only_when_offnet>" tag.

 

Autoconnect does NOT mean and does NOT do "auto reconnecting if disconnected". Resuming a broken/disconnected connection is done by <keep_running> (a.k.a Always Up): Enabling VPN always up | FortiClient 7.4.1 | Fortinet Document Library

 

melkool
melkoolAuthor
New Member
November 19, 2024

Thanks but it does not answer my question / problem.

Right now I have almost all users in their office,  so "Online - On-net" and connected to VPN. Unnecessary load for the gateway. If they go Off-Net    everything is fine but why the f word they are connecting from inside when the "autoconnect only when offnet" is there and the condition is met.  Confirmed by FortiEMS GUI. IT met condition by WAN IP detection.

MZBZ
Staff
MZBZ
Staff
November 19, 2024

Confirm your "On-fabric Detection Rules" is working correctly. Find the endpoint and check the Status, Location, and Matched Rules.

Open a TAC ticket if the behavior does not match the configuration. You should provide access to test endpoints during the troubleshooting and update FortiClient to the latest stable GA release (compatible with EMS and your environment).

 

 

melkool
melkoolAuthor
New Member
November 19, 2024

Hmm I don't want to be "that guy" but I have 3 opened tickets with TAC.

Just for one of them I got a message saying "I am sorry, I'm out on vacation".  That's it :( 

Over the years TAC is useless! I tried escalating by phone but I was told something like "well this is a new setup, it doesn't matter is in production. If it's something that never worked, you cannot escalate".  So just a middle finger and regretting switching to Fortinet.


But back to our case.

I can confirm, with print screen, that indeed the On-Fabric Detection rule is there! It matches the public IP, it's saying that client is Online/On-Net but still it connects the god **bleep** tunnel :)

I'm slowly dying here...

Terms & ConditionsAccessibility statement