Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmjo
New Contributor II

Forticlient EMS

Hi.

 

Got some Q about forticlient EMS.

We are using windows allways on vpn right now (not my choise) and would like Forticlient because of the VPN and ZTNA thing.

So can the Forticlient vpn in IPSEC mode use the computer certificate before login so the user can reset password (with a policies only allowing the things needed for that) and when the user logs in uses the user certificate to get more access? mayby with the ztna tags? like EAP-TEAP where you have the outher and inner methode.

if yes, does the client reset the first ipsec tunnel og makes another for the "inner" methode?

if its possible, then ill proberly make the samme setup from the outside and inside, so we are full ztna.

I'm about to do a poc so i can test it, done a lot of traditional ssl vpn remote access on fortigates, but would like the advance mode this time and ipsec other than ssl.

We got about 2200 clients and a 900g so the FGT can handle 50k ipsec tunnels.

Morten

3 REPLIES 3
AEK
SuperUser
SuperUser

AEK
msolanki

Hi Mortin,

 

ZTAN or full ZTNA you can use Access proxy or TCP forward proxy which also use certificate-based Authentication were you might not even required to connect via ipsec and enable the tagging.

 

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/855420/zero-trust-network-ac...

BrettLee
New Contributor


@atfbooru wrote:

Hi.

 

Got some Q about forticlient EMS.

We are using windows allways on vpn right now (not my choise) and would like Forticlient because of the VPN and ZTNA thing.

So can the Forticlient vpn in IPSEC mode use the computer certificate before login so the user can reset password (with a policies only allowing the things needed for that) and when the user logs in uses the user certificate to get more access? mayby with the ztna tags? like EAP-TEAP where you have the outher and inner methode.

if yes, does the client reset the first ipsec tunnel og makes another for the "inner" methode?

if its possible, then ill proberly make the samme setup from the outside and inside, so we are full ztna.

I'm about to do a poc so i can test it, done a lot of traditional ssl vpn remote access on fortigates, but would like the advance mode this time and ipsec other than ssl.

We got about 2200 clients and a 900g so the FGT can handle 50k ipsec tunnels.

Morten


Yes, FortiClient in IPsec mode can use a computer certificate for pre-login access, allowing password resets. Upon user login, it can switch to a user certificate for enhanced access, potentially utilizing ZTNA tags. The client may establish a new tunnel for this purpose. Testing this setup in your POC is a great idea!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors