Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
sharmanpreet
Staff
Staff

Created on ‎09-29-2025 12:14 PM

Article Id 410393

Technical Tip: FortiClient secure remote access configuration guide

Description

 

This article explains how to configure Secure Remote Access. This feature enhances VPN security by continuously checking the absence or presence of a Security Posture Tag to allow or block a new VPN connection and terminate the already established VPN tunnel if Security Posture Tag check fails.

 

Scope

 

FortiClientEMS, FortiClient Windows, FortiClient MacOS, FortiClient Linux

 

Solution

 

Explanation:

  1. In FortiClient Secure Remote Access, a Security Posture Tag condition is defined which the endpoint needs to fulfil to establish and maintain a VPN Connection.
  2. When the Secure Remote Access Tag Checking Fails:
    • A new VPN connection will fail with a warning.
    • An already established VPN connection will disconnect and will show a warning.
    • For a Warning, the message configured under 'Customize Host Check Fail Warning' will be shown to the user.
    • If the message is not defined, the user will get a default message 'VPN blocked, please contact IT administrator'.
  3. Either configure an allowed type or prohibited type. The Allowed Type will allow the VPN when the specified Tag is available and the Prohibit Type Tag will block the VPN when the specified Tag is available.

 

Configuration:

  1. Configure Security Posture Tag Rule on EMS. In EMS v7.2.x the Security Posture Tags is called as Zero Trust Tags.
    • Security Posture Tag to check if a file is present on the Endpoint.

      1.png

       

  2. Enabling the Secure Remote Access feature:
    • Login to EMS -> Endpoint Profiles -> Remote Access -> Edit the Profile -> Advanced -> Enable 'Secure Remote Access'.

      2.png

       

  3. Configuring the Secure Remote Access Rule:
    • Scroll down to the bottom, select and edit the Tunnel -> Advanced Settings -> Under Tags -> Select the Tag -> Select the type to be either Allowed/Prohibited -> Save.
    • Where necessary, enable 'Customize Host Check Fail Warning' and specify a message which will be displayed if the secure remote access check fails.

      3.png

       

  4. Error when trying to connect the VPN as File-Present Security Posture Tag is not available:

    4.png

     

Docs for reference:

Notes:

  • The above is a Client Side check. For example: this will not block VPN connection to FortiGate from a free FortiClient unless more checks are put on the FortiGate.
  • On the FortiGate, to enhance the Security further, enable EMS SN Check and Security Posture Tags in the VPN Policies.
336
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.