On-Net / Off-Net

I was just chatting with one of my colleagues, who was mentioning Option 224. He tested regular text to work in Windows Server 2012, but that hex is required in 2008R2 and below.

It jogged my Rain Man memory about this post, so I decided to answer your question.

If you need to use hex, and don't want to manually run the conversion, set the FortiGate as the DHCP server and sniff a DHCP request to retrieve the proper hex string for the serial number.

Otherwise, if you have a 2012 instance, capture the string using Wireshark.

How does option 224 with a serial number work in a clustered environment?  I need to get this configured as we cannot have our fortigates running as our corporate DHCP servers.  They are in a cluster.  Do I need to enter both in option 224?  Do I only need to enter the master?

Thanks

So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description.  Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/  I then configured the new DHCP option on the single scope and I am testing now.

Its worth mentioning that I am running 5.2.3 firewall firmware and 5.2.3 forticlient.  The status shows registered-online whether I am connected internally or via vpn.  The only thing that changes is the interface that I am connected to on the firewall (port1 or vpn_0). 

The problem I have is that I do not have the DHCP option enabled in the fortigate which means the tick box for the client on-net/off-net status is not available or enabled.  How do you guys that have this working deal with this?

The on-net/off-net status option is not available in the VPN configuration.  I am only able to specify the range the fortigate will give the clients and nothing more :(

It appears that there is a growing demand for a feature to support 3rd party DHCP based on customer feedback.

The more people that ask for this, the faster it will be delivered.

We've tried the option 224 in a windows 2008 enviroment. With windows 7 clients. This seems to work perfect. But the apple users with Forticlient doesn't show up on-net when they are in the same segment as the other windows 7 clients.

I am new to Forti-ALL We have just purchased a 100e Fortigate V5.4.  I want to employ FortiClient across our campus but must see it in action working as needed before I can buck the 3ed party support that sold us the Fortigate as they are pushing something else. My background 6 years removed was Novell but I'm working this MS Server 2008 environment now that provides DHCP from the server.  I see 5.4 requires DHCP running on the Fortigate to provide "On-Net / Off-Net" recognition.  I NEED to make sure laptops going off campus can not disable Forticlient. Can the Fortigate DHCP service run parallel to the Microsoft AD-DHCP in a limited fashion just for remote clients?