rsingla
Staff
Created on 09-24-2019 11:32 PM Edited on 05-26-2022 06:56 AM By Anonymous
Article Id
192227
Description
FortiClient installed on Windows Server (Windows Server 2008, 2012, 2016 and other Older or Newer versions) cannot connect to SSL VPN if host-check is enabled under host check policy as shown below:
#config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode enable
set host-check av-fw <---
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
next
Scope
FortiClient installed on Windows Server (Windows Server 2008, 2012, 2016 and other Older or Newer versions) can not connect to SSL VPN if "config vpn ssl web portal" has option "host-check" enabled.The connection will fail around 45% with error.
A Warning is issued to the client:
'Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. (-455)'
This is because FortiClient SSLVPN uses WMI namespace "\root\SecurityCenter2" or Win32API WscGetSecurityProviderHealth() to check AntiVirus product health status.
Security Center is the only accurate technique to query Windows for the state of 3rd party AV/FW products.
Unfortunately, this namespace and API are not available on Windows Server platform, but they are only available on regular Windows OS like Win7, Win 10 etc.
This is the reason host-check failure happens when host-check is enabled and FortiClient on Windows Server tries to connect to the SSL VPN.
Solution
If Host-Check is mandatory for any customer environment, use Windows OS platforms like Win7, Win 10 etc.
To verify if Windows OS has WMI namespace "\root\SecurityCenter2" and can support FortiClient Host-Check or not, use the Run prompt (Windows Key + R) to get started and type wbemtest.exe.
The Windows Management Instrumentation Tester window will show up.
Click on 'Connect' and type in root\securitycenter2 and click 'Connect' again.
If error "Invalid namespace" show up, it means this Windows Server/OS does not support the required namespace to detect the installed AV and hence can not assist with the Host-Check by FortiClient.
Double click on 'AntiVirusProduct'
If 'AntiVirusProduct' is not visible, again it means the Win OS can not detect the installed AV and hence can not assist with the Host-Check by FortiClient.
Related Articles
Technical Tip: Adding custom host check definitions for FortiGate SSL VPN host check feature
Labels: