FortiClient and EMS - Client not switching web filter back on when going offline or offnet

All,

Having a devil of a time figuring this one out. While the FortiClient (usually) can tell when it's online/offline or on-net/off-net, it is not reliably turning the web filter back on.

For example:

When the client is offline or off-net, the client web filter should be on. When the client is on-net, the Fortigate should handle the filtering, which it does by indicating the web filter is disabled and the PC is protected by the FortiGate. The problem occurs when going off-net or offline. What happens is the web filter remains disabled thus leaving the PC unprotected. This happens most of the time, but not always. I have a case open with support, but I'm not getting anywhere.

I'm using the 5.4 client with EMS 1.0. The client knows if it's on-net using the DHCP option that sends the client the FortiGate SN or in the case of a VPN connection, the subnet. It usually knows when it's online when it can ping the EMS, but not always. Sometimes a re-register is required to set it online.

My questions are around what controls the switching of the client's on/off web filter state? Does the client communicate with the EMS server, or does the EMS server communicate with the client. I.E., any client firewall ports required?

Does the EMS need to always be visible to the client? My EMS in not curently visible from the Internet. Only from the LAN or VPN.

I'm having difficulty in finding a pattern that indicates how this works and what it is exactly that triggers the web filter state.

Thanks,

Craig