FortiEMS and AutoConnect/AlwaysUP

melkool · ‎11-15-2024

Hi Team,

So I have a case with TAC that is hitting the wall in the last 2 weeks. I have a client with 800 users , Fortigate and FortiEMS.

The main reason that he purchased FortiEMS is to have the users always connected and to be able to control which user can disconnect or not).

The problem is that even everything looks just fine, has the proper configuration from all the possible documentations, the auto-connect is not working! Not to speak about "user

EMS:

<options>
<allow_personal_vpns>0</allow_personal_vpns>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<keep_running_max_tries>0</keep_running_max_tries>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<disable_connect_disconnect>1</disable_connect_disconnect>
<secure_remote_access>1</secure_remote_access>
<show_vpn_before_logon>0</show_vpn_before_logon>
<show_negotiation_wnd>1</show_negotiation_wnd>
<on_os_start_connect/>
<autoconnect_on_install>1</autoconnect_on_install>
<suppress_vpn_notification>0</suppress_vpn_notification>
<use_windows_credentials>1</use_windows_credentials>
<minimize_window_on_connect>0</minimize_window_on_connect>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<after_logon_saml_auth>0</after_logon_saml_auth>
<current_connection_name>vpn.gw</current_connection_name>
<current_connection_type>ipsec</current_connection_type>
<autoconnect_tunnel>vpn.gw</autoconnect_tunnel>

Fortigate:

config vpn ipsec phase1-interface
edit "VPN"

        set xauthtype auto
        set save-password enable
        set client-auto-negotiate enable
        set dpd-retryinterval 60

Client is pushed with SCCM, after installation it connects to EMS , policy is fetched, Remote Access tab appears but user has to enter username and password :) After that, if the network card is disconnected and EMS goes down, upon restoration EMS connects back, fetches the policy but again Remote Access requires password to connect.

To be honest I'm out of any ideas. Any help will be really appreciated.

maulishshah · ‎11-15-2024

Hi @melkool ,

Can you please make the following change,

under the XML config for the SSL VPN tunnel, try to find a tag called <keep_running> and change the value from 0 to 1.

Let us know if that fixes the issue for you.

Thank you.

Maulish Shah

melkool · ‎11-15-2024

Hi Maulish

Client is using IPSec VPN as you can see in config vpn ipsec phase1-interface :)

MZBZ · ‎11-15-2024

The feature you need is "Always up" or "Keep alive". As per documentation:

Always Up (Keep Alive)

When selected, the VPN connection is always up. If the connection fails, possibly due to network errors, FortiClient attempts to reconnect. If credentials (username and password) are saved, FortiClient attempts to reconnect silently. If credentials are insufficient (for instance, multifactor authentication is required or password is not saved), FortiClient prompts for credentials.

Enabling always up enables Save Password.

If you are using SAML for authentication, this is achieved by "Persistent cookies" from idP.

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the IdP, discussed as follows:

Azure
Okta

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

Please refer to the following docs for configuration guidance.

M. B.

FortiMax_it · ‎11-16-2024

Hi, after many tests I used this configuration to start an IPSEC VPN at PC startup without user interaction. See if it is your case:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Automatic-FortiClient-VPN-connection-on-...

melkool · ‎11-16-2024

Hi FortiMax_it.

As the "XML" is not documented I have no idea if <machine> and <keep running> are usable in 7.4.0. Also <on_os_start> this syntax is completely missing from my 7.4.0 XML. Not sure if this was used in early versions but to be honest I am kind of afraid to test it and FUBAR ~540 users if something goes wrong.

I'll clone the profile and have a try on my VM.

Thank for info, it's the most good information until know :) even after 3h with TAC

MZBZ · ‎11-16-2024

FortiClient EMS XML reference guide is available at https://docs.fortinet.com/document/forticlient/7.4.1/xml-reference-guide/387580/introduction

M. B.

melkool · ‎11-18-2024

Thanks for the info. I've managed to make it work (somehow).

Right now I have another issue. I was instructed by TAC to disable "on/off fabric" profiles in order to , quote "not to disturb EMS client".

So before I was using OnFabric with profile X and Off-Fabric with a default profile just for the "Remote Access" tab to be inactive.

Right now I have the same profile for both On and Off-Fabric, I have set <connect_only_when_offnet>1 . Detection works! But client connects to the VPN as it has the "always on", connect on start, etc etc

Am I asking to much from this platform ? I mean it's something very simple that worked in the past with another vendor:

- 800 users

- 2 policies (no permission to disable VPN; permission to disable VPN)

- always on / permanent VPN when not in network (100% full route back to gateway)

- When "On-Fabric" detection by the public IP (which works great) do not connect. Or if "connected" terminate the connection.

I mean I can block it from the firewall but since this a EMS there should be something there that I couldn't find.

So to be honest my idea is to switch back to On-Fabric Profile but then I will have issues when Off-Fabric as the client will try 3 times to connect and then it will stop (at least this is what TAC told me)

MZBZ · ‎11-19-2024

You can have multiple tunnels in a Remote Access profile.

- Each tunnel has a separate "<keep_running>" tag.

- The Remote Access profile has just one "<autoconnect_tunnel>" tag.

- The Remote Access profile has just one "<autoconnect_only_when_offnet>" tag.

Autoconnect does NOT mean and does NOT do "auto reconnecting if disconnected". Resuming a broken/disconnected connection is done by <keep_running> (a.k.a Always Up): Enabling VPN always up | FortiClient 7.4.1 | Fortinet Document Library

M. B.

melkool · ‎11-19-2024

Thanks but it does not answer my question / problem.

Right now I have almost all users in their office, so "Online - On-net" and connected to VPN. Unnecessary load for the gateway. If they go Off-Net everything is fine but why the f word they are connecting from inside when the "autoconnect only when offnet" is there and the condition is met. Confirmed by FortiEMS GUI. IT met condition by WAN IP detection.

FortiEMS and AutoConnect/AlwaysUP

Nominate a Forum Post for Knowledge Article Creation