Skip to main content
ergotherego
ergotherego
New Member
June 20, 2017
Question

How to migrate off-net users from manually defined FortiClient settings to EMS managed?

  • June 20, 2017
  • 1 reply
  • 3527 views

I have users connecting to SSLVPN using FortiClient with manually defined VPN settings.

 

I am introducing new VPN gateways and FortiClientEMS and want them to be able to connect to EMS to automatically get the new VPN profiles.

 

EMS can see the machine accounts, but it cannot see the IP address, so it cannot attempt to connect to them in order to push the profile. These are all remote users, so their connectivity to EMS is through the VPN.

 

If I have users manually enter the EMS IP in FortiClient they do get connected/managed by EMS. But with so many users, I am needing a way to do this automatically. I got it working for myself (also remote) but for some reason it's not working for anyone else.

 

How can I configure the FortiGates to report connected users and their IP addresses up to EMS so it can connect to them?

    1 reply

    ergotherego
    ergotheregoAuthor
    New Member
    June 24, 2017

    This is mostly working now. The main issue we had is that the EMS server and the workstations it manages are in different domains - and the DNS suffix list on the EMS server did not include the workstation domain. So it could not resolve the workstation hostnames.

     

    Per TAC its not possible to setup telemetry/communication between a FGT and EMS directly to report VPN clients. And this KB article mentions the only method of EMS establishing communication is to resolve workstation/machine hostnames:

    [ul]
  • Cannot ping endpoint by name (EMS only deploys by host name)[/ul]

    • http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD37594&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=109270082&stateId=0%200%20109268930

     

    Additionally it appears we need to enable DNS scavenging on our domain controllers - many users have multiple/stale A records for their machines. Going to test that next week and hopefully that will solve the the rest of our issues.

     

    http://www.howtodigitalst...or-domain-controllers/

    Terms & ConditionsAccessibility statement