How to make connection to use Apple Remote Desktop through FortiClient VPN

marcinUPP · ‎01-26-2022

My university utilizes FortiClientVPN to enable connection to the university's network to work remotely. Since macOS-based computers are very rare our IT department does not provide any help for the system. I want to connect from home (MacBook Air) to work (Mac-mini) both with macOS Monterey (v.12).

I have FortiClient FortiClientVPN 7.0.2 installed and configured on my MacBook according to the IT department it connects to the university's network as the log reports indicate. I have enabled remote access in the preferences on my Mac-mini and installed Apple Remote Desktop (v.3.9.5) on my MacBook. I entered the Mac-mini's IP address to the ARD app as it was shown in its preferences as I was granting access to

However, trying to connect I get the error 'Connection failed to "<IP address>" Unable to communicate with “<IP address>”. Make sure the remote computer is available and the firewall is not blocking screen sharing.'.

Both computers have Norton 360 installed but disabling firewall protection on both does not change anything.

Can anyone help?

pvalente · ‎01-31-2022

Hi could you please try the following:

Double-click the FortiClient icon.
Select the Acknowledge checkbox and then click I accept.
Click Configure VPN.
On the New VPN Connection screen, enter the following information:

Connection Name: Enter a name, such as FTNT VPN

Description: This field is optional

Remote Gateway: FTNT.Fortinet.us (Example)

Authentication: Select Save login

Username: Enter your FTNT network user name (optional)

Click Save.

6.On the Connect screen:

The Connection Name and Username should be automatically populated.

Password:

If you have an RSA SecurID soft token: Enter the 8-digit token that displays on your device (mobile phone). Do not enter the PIN as part of the FortiClient password.

If you have an RSA SecurID hard token (fob): Enter your PIN + the 4 digit token (without spaces) that displays on your token.

7.Click Connect. A connection to the AHS SSL VPN portal will be established. The window will minimize to the task bar.

*Note that this screen displays the assigned IP address from the SSL VPN located inside FTNT.

After you have successfully connected FortiClient, it can be used with the Remote Desktop Connection (RDP) tool to remotely access an FTNT computer from your personal computer.

Note: The target FTNT computer must be powered on and no other user can be logged on.

FortiClient must be active and connected.

Remote Desktop Connection is provided as part of the Windows.

Use the Windows search tool to search for remote desktop. Click Remote Desktop Connection

2.Type in IP address

3.Enter your FTNT network username in this format: domain\username.

Then enter your password.

4.At the FTNT computer sign-on prompt, enter your AHS network username and password again.

You should now be connected and signed into your FTNT computer and have full access to your files, applications, and the network.

When your work is done, Disconnect from FortiClient.

Best regards,

Pedro

Pedro Valente

marcinUPP · ‎02-01-2022

@pvalente Hi! Thank you for your answer but as I wrote in my question both computers are macOS-based not Windows, and I have Apple Remote Desktop for the remote connection.

KinPete · ‎02-01-2022

So, I have been fighting with this exact issue for a client of ours that are strictly running Mac osX ranging from 10.14.x (Mojave) – 12.x (Monterey). Some are running on M1 chips and others on 2019 intel chips.

In two cases I have had two different things happen, which is why I mention the OS + M1 vs Intel chip builds. In both cases we are unable to successfully connect to the company VPN using any version of the FortiClient-VPN-only client for Mac OS (ranging between 6.0.x -7.0.0.0022) on devices running Monterey. We receive either the “Connection failed to xxx Server” or nothing happens.

However, if we install the FortiCleint ZTNA client using the same configuration information, the Mac’s in question can connect to VPN with no issue (if you ignore the trial timer). The VPN only client as well as the ZTNA edition are being pulled down from Fortinet site.

In one case, on a system that has a M1 chip, we were able to install the iPad / iOS version of the VPN only client, and though not optimal, are able to get a stable, active VPN connection.

(If you have an M1 chip Mac, you might try installing the VPN only iPad version from the Apple store, as M1 chip build support iOS and iPad apps due to the ARM, architecture).

Does anyone know why the most recent build release of the paid version would work, but the most recent build release free version would not on a Mac??? To be clear there is no issue connecting to the same VPN, from a PC (running FortiClient VPN Only ver. 7.0.1.0083).

When reading this - https://docs.fortinet.com/document/forticlient/7.0.2/macos-release-notes/223986/special-notices the way it’s written implies no other steps are needed, but then promptly says you need to add these other options. I can attest to that fact that on a fresh install of the free FortiClient, that only the “fctservctl” “fctservctl2” and “FortiClient” were present under Preferences> Security+ Privacy>Privacy>Full Disk Access.

Anyone have any ideas?

marcinUPP · ‎02-02-2022

Hi @KinPete I have only “fctservctl2” and “FortiClient” present under Preferences> Security+ Privacy>Privacy>Full Disk Access and both are allowed. Where are the rest gone? According to the special notice you mention there should be a whole list (fcaptmon, fctservctl, fctservctl2, fmon, fmon2, FortiClient, FortiClientAgent)???

And in the status of the extensions running only one:

--- com.apple.system_extension.network_extension

enabled active teamID bundleID (version) name [state]

* * AH4XFXJ7DK com.fortinet.forticlient.macos.vpn.nwextension (1.4.8/B20210629) vpnprovider [activated enabled]

BTW my both machines are Intel-based.

KinPete · ‎02-02-2022

@marcinUPP Yeah, I have seen the same thing. Meaning I have only seen “fctservctl” “fctservctl2” and “FortiClient” in the privacy, full disk access list. The document I referenced is certainly... confusing!

As I mentioned it says "if you are using the VPN only client you only need to allow “fctservctl2” and “FortiClient”, then promptly implies that you need to manually add the other items.

I have not had a chance to try manually adding the other items', to see if that fixes it. I should say that my customer(s) were previously using 6.0.xxx version, so its possible the "fctservctl" is left over from a previous install.

I was bouncing back between a number of VPN clients', so its possible something was left over. I certainly have not seen the "fmon2" item, and it's possible that the "other items that need full disk access" are for some other version of the VPN client, though as I have experienced, the paid version works with no issue, so I think all of those items mentioned in the document are possibly required for the 7.0.xx VPN only client to function correctly.

I will certainly update this thread if I manage to figure out how to get the VPN only client to work on Monterey and or on a system running a M1 chip.

Hopefully the Community will be able to pool our knowledge and resources to come up with a viable fix.