#config vpn ssl web portal
set tunnel-mode enable
set web-mode enable
set host-check av-fw <---
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
FortiClient installed on Windows Server (Windows Server 2008, 2012, 2016 and other Older or Newer versions) can not connect to SSL VPN if "config vpn ssl web portal" has option "host-check" enabled.The connection will fail around 45% with error.
A Warning is issued to the client:
'Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface. (-455)'
This is because FortiClient SSLVPN uses WMI namespace "\root\SecurityCenter2" or Win32API WscGetSecurityProviderHealth() to check AntiVirus product health status.
Security Center is the only accurate technique to query Windows for the state of 3rd party AV/FW products.
Unfortunately, this namespace and API are not available on Windows Server platform, but they are only available on regular Windows OS like Win7, Win 10 etc.
This is the reason host-check failure happens when host-check is enabled and FortiClient on Windows Server tries to connect to the SSL VPN.
The Windows Management Instrumentation Tester window will show up.
Click on 'Connect' and type in root\securitycenter2 and click 'Connect' again.
If error "Invalid namespace" show up, it means this Windows Server/OS does not support the required namespace to detect the installed AV and hence can not assist with the Host-Check by FortiClient.
Double click on 'AntiVirusProduct'
If 'AntiVirusProduct' is not visible, again it means the Win OS can not detect the installed AV and hence can not assist with the Host-Check by FortiClient.