FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
jdelafuente_FTNT
Article Id 314512
Description

 

This article describes how to avoid Dynamic DNS updates performed by FortiClient SSL VPN connection. This may affect the FortiNAC Tag.

 

Scope

 

FortiClient VPN, FortiClient EMS, FortiNAC.

 

Solution

 

FortiClient EMS and FortiClient VPN by default try to perform a dynamic DNS update in an SSL VPN connection. In some scenarios with FortiNAC_tag this may cause issues with the FSSO Collector Agent because a due 'IP address change timer' will detect an update in IP address.

 

To prevent this it is necessary to set to '1' in the no_dns_registration parameter.

 

  • FortiClient EMS.

Endpoint Profiles\ Remote Access\ [Profile name]\ XML\ edit\  no_dns_registration and set 1.

 

FCT_NoDNS01.png

 

Save changes and wait for the next FortiClient EMS Telemetry update. 

 

  • FortiClient VPN.

Select engine icon\ Backup\ Set name\ Set file location\ Set password and OK.

 

FCT_NoDNS02.png

Open a backup file with a simple text editor as notepad/notepad++ and modify no_dns_registration 0 ->1, then save.

 

FCT_NoDNS03.png

Restore backup, select engine icon\ restore\ search for backup file\ set password\ ok.

 

FCT_NoDNS04.png

 

Parameters:

0 FortiClient will try to register ALL NIC address in DNS (default parameter).

1 FortiClient will NOT register any IP.

2 FortiClient will try to register ONLY VPN-SSL tunnel IP in DNS.

 

Related document:

SSL VPN