I don' t know how much this would be officially supported if you were to open a ticket on it in case of trouble, but...
Here is the paragraph from the FortiClient Admin Guide for FCT 5.2 detailing the on-net/off-net determination:
VPN auto-connect based on DHCP off-net determination
VPN auto-connect ensures that FortiClient creates a VPN connection to the FortiGate when considered to be off-net. A site administrator, who has configured Endpoint Control on their FortiGate, may choose to enable VPN auto-connect in the Endpoint Control profile.
Computer endpoints or clients in the network should use the designated DHCP server for IP address assignments. The DHCP server sends a special tag within the protocol to identify if the client is on-net or off-net. The on-net status indicates that the endpoint is within the corporate network protected by the FortiGate.
When the client is off-net, FortiClient will automatically attempt to establish a VPN connection to the VPN server indicated in the FortiGate Endpoint Control configuration. When the client is on-net, no VPN connection is required.
What I take away from this is that you could sniff the content of the tag, and if it is reproducible (i.e., a known, unchanging or predictable token), you could add it as a VCI parameter or DCHP option on another server.
The check seems to be a client-side check, based on the obtained lease containing this token.
Regards,
Chris McMullan
Fortinet Ottawa