Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
muhammadsaad
Contributor

Created on ‎08-25-2025 07:09 AM

EMS Restriction Implementation

Hi,

We have integrated fortigate with forticlient EMS, the remote access profiles and EMS tags are able to push on the forticlient successfully.

 

We are having a scenario.

In forticlient, after connecting the EMS through its IP, if profile didn't pushed and we manually enter the SSL VPN remote gateway and sends a connection request, it gets connected.

Whereas we want to restrict it such that VPN will only gets connected once its profile will pushed from EMS, if we manually connect the SSL VPN, it should restrict.

 

We have also implemented a scenario like VPN will only be connected once EMS gets connected, but now we have another challenging scenario which I had mentioned earlier.

 

I request the seniors to please help out on this.

 

Thanks

Labels:
462
0 Kudos
1 Solution
muhammadsaad
Contributor

Created on ‎08-29-2025 06:21 AM

Team,

The issue has been resolved. Please find the summary below:

  1. When FortiClient connects to the EMS, it automatically receives the default policy. If any profiles are associated with these default policies, they will also be applied, overwriting any manually configured policies. Required tags will be pushed as well. Endpoints that meet the tag requirements will be able to connect successfully.

  2. Once this is in place, we can enforce the restriction that endpoints must be connected to the EMS for services to function properly.

View solution in original post

135
0 Kudos
19 REPLIES 19
dunalfu2
New Contributor

Created on ‎08-25-2025 08:19 AM

When you use the Fabric connector for EMS, it feeds a dynamic address group for your registered / connected clients. Keep in mind that you need to open up your EMS vip, so the client can send telemetry before they get into this address group.

omegle xender
omegle xender
261
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎08-25-2025 08:43 AM

Hi Muhammad

You can do that by disabling the "Allow Personal VPN" in the profile. Once it is pushed then the user will not be able to create a personal VPN config anymore.

vpn_01.png

 

Another method I usually adopt, is to use tags at firewall level in the VPN related policy, so any non-compliant host that can connect will not be able to access any resource.

AEK
AEK
258
muhammadsaad
Contributor
In response to AEK

Created on ‎08-25-2025 10:08 AM

Hi,

 

Thanks for the reply. How this scenario will be implemented since before pushing the profile from the EMS, the user gets connected when we connect the EMS and configure the VPN manually?

The scenario you are referring to is after the profile gets pushed from EMS towards the forticlient.

Please confirm if we disable the "Allow Personal VPN" in the profile, the what will happen?
(The manually created VPN's will be automatically removed or something else)

245
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎08-25-2025 10:43 AM

When you create the installer you can push the VPN profile that denies configuring personal VPN. This way the user can't create any VPN from the moment he installs FortiClient, end even before it connects to EMS.

fct_installer.png

 

 

Please confirm if we disable the "Allow Personal VPN" in the profile, the what will happen?

-> I didn't test it but I guess once the profile is pushed the user will not see his personal VPN config anymore (but you can double-check by testing).

AEK
AEK
233
muhammadsaad
Contributor
In response to AEK

Created on ‎08-25-2025 11:02 AM

Alright, thanks for the help and support. Right now we are using EMS version 7.4.1 and there is an installer creation error on this version.
I will cross check that again.

By the way, any other works arounds?

230
0 Kudos
muhammadsaad
Contributor
In response to muhammadsaad

Created on ‎08-25-2025 12:42 PM

@AEK ,

By applying the above two suggestions, the issue will still be pending because what we wanted to do is only company based laptops will be able to get logged in.

 

In current scenario, we have integrated Azure IdP for MFA authentication, if there is any vendor based laptop, it gets also connected through company provided Azure IdP credentials just because the users are authenticated via Azure IdP and their UPN contains that domain which causes the tag to match even though the machine itself is not domain joined and this behavior is expected due to FortiClient interpret the logged in user domain.

 

What's happening right now is on any other laptop except the company provided, if we download the FortiClient, connect the EMS and manually configure the SSL VPN, we will be able to get connected, whereas we want to restrict it to only company provided laptops.

209
0 Kudos
AEK
SuperUser
SuperUser
In response to muhammadsaad

Created on ‎08-25-2025 12:58 PM

How the external laptops can register to EMS? Are you using bulk invitation?

You should register only company laptops (integrate EMS with your Azure AD server), or by single invitation with AD user authentication for example, or with manual registration only.

AEK
AEK
201
muhammadsaad
Contributor
In response to AEK

Created on ‎08-25-2025 01:21 PM

We have a scenario like vendors have there own laptops, who work through connecting remote VPNs and we have created a separate user on Azure AD for them to connect and access the company's resources.

And since the EMS is allowed via Public IP, so its our Security Department compliance that if someone knows about the EMS IP and Remote GW of VPN, then they will get connected on this by simply downloading the FortiClient on any device.

I hope you got the point now.

192
0 Kudos
muhammadsaad
Contributor
In response to muhammadsaad

Created on ‎08-25-2025 10:54 PM

Hello,

Anyone can guide/help on this.

Thanks

157
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.