Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff

Created on ‎08-21-2023 08:12 AM Edited on ‎10-15-2025 05:57 AM By Community Manager

Article Id 269644

Technical Tip: Software Installation and Process as SSL VPN host check requirements

Description

 

This article describes how to use SSL VPN host check features to allow or prevent endpoints from connecting to FortiGate through SSL VPN, depending on software installation and process running state.

 

Scope

 

FortiGate, SSL VPN.

Solution

 

In certain organizations, endpoints are needed to install and run specified software before they can establish an SSL VPN connection.

 

For example, consider the following scenario: before making SSL VPN connections, endpoints are required to install endpoint security software (such as TrendMicro).
This article will demonstrate the process of setting up a custom host check policy and utilizing it to target a particular SSL VPN user group through the SSL VPN portal.

SSL VPN host check policy configuration.

  1. Using the registry editor, locate 'InstallStatus' under the TrendMicro software directory; this will be used as a custom registry check parameter.
 
 

anderson_yee_1-1692628762654.png

 

  1. Run the software and identify the process name (for example, TmsaInstance64.exe) by running tasklist under the command prompt.
                                                                                          

anderson_yee_2-1692628762668.png

  1. Using the acquired information, set up an SSL VPN host check policy that includes both registry and process checks.
    SSL VPN host check policy name: trendmicro_check.
    Registry check: HKEY_LOCAL_MACHINE\\SOFTWARE\\TrendMicro:InstallStatus==1.
    Process check: TmsaInstance64.exe.

 

anderson_yee_3-1692628873085.png

 

Notes:

  • Both 'HKLM' and 'HKEY_LOCAL_MACHINE' work under registry check.
  • SSLVPN host check features are only available in the free FortiClient as of version 7.0.3 and above.
  • The item checklist functions as an AND operator: for the SSL VPN to establish a connection, it needs to meet both requirements. (For example, the TrendMicro software is installed and running.)
  • On the other hand, if one of the host check requirements is not matched (for example, TrendMicro software is installed but not running), SSL VPN users will be unable to connect.

  1. Apply the SSL VPN host check policy to the specific SSL VPN portal (for example, full-access):


anderson_yee_4-1692628951196.png

 

For more information on host-check-policy passing conditions, check the following article: Technical Tip: Details about host check list and host-check passing conditions.


Testing and validation.
Case 1: TrendMicro software is not installed, or it is installed but not running.


Result: SSLVPN users are not able to connect to FortiGate as it does not meet the host check requirements.

 

anderson_yee_5-1692629000382.png

 

SSL VPN debug logs:

 

anderson_yee_6-1692629053125.png


Case 2: Software is installed and running.


Result: SSL VPN users can connect to FortiGate as it meets the host check requirement.

 

anderson_yee_6-1692627437743.png

2057
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.