Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stlblufan
New Contributor

On-Net / Off-Net

I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
1 Solution
rwdorman
New Contributor III

Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to. In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

View solution in original post

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
36 REPLIES 36
jodros

Ok so all you need to do is have a scope on your 2008R2 server with the option 224 hex value for when the client in on the LAN.  Then you need to create a scope if you have not already on the fortigate for the remote VPN users.  The option for FortiClient on-net status needs to be checked as you pointed out.  There shouldn't be any issues with multiple DHCP sources.  We have our 2008R2 DHCP sending out the option for LAN users.  We also have our Juniper SA appliances sending out the option for remote users, as the Juniper SA appliances handle DHCP for remote.

 

Let me know if this helps.

 

Thanks

nothingel
New Contributor III

terry_jjr wrote:

So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description.  Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/  I then configured the new DHCP option on the single scope and I am testing now.

I did not need to convert to hex when using 2008 R2 DHCP.  I took the Fortigate serial as-is and entered it directly into option 224 (string data type).  Using Wireshark, I was able to see option 224 returned as hex in response to DHCP INFORM packets from the clients.

 

terry_jjr
New Contributor

I just did some wireshark sniffing on the DHCP client on the internal network and I couldn't see option 224 coming from the DHCP server.  I am wondering if my settings are correct.  I can all the other standard options in the wireshark file.  Do my settings look correct on the DHCP server?

terry_jjr
New Contributor

The on-net/off-net status option is not available in the VPN configuration.  I am only able to specify the range the fortigate will give the clients and nothing more :(

 

It appears that there is a growing demand for a feature to support 3rd party DHCP based on customer feedback.

The more people that ask for this, the faster it will be delivered.

jodros

I see.  I have not dealt with the SSLVPN configuration on the fortigate, as we utilize Juniper.  Is it causing any issues having the FortiClient think that it is off-net when you are connected over SSLVPN?

Jeroen
Contributor

We've tried the option 224 in a windows 2008 enviroment. With windows 7 clients. This seems to work perfect. But the apple users with Forticlient doesn't show up on-net when they are in the same segment as the other windows 7 clients.

PACIT
New Contributor

I am new to Forti-ALL We have just purchased a 100e Fortigate V5.4.  I want to employ FortiClient across our campus but must see it in action working as needed before I can buck the 3ed party support that sold us the Fortigate as they are pushing something else. My background 6 years removed was Novell but I'm working this MS Server 2008 environment now that provides DHCP from the server.  I see 5.4 requires DHCP running on the Fortigate to provide "On-Net / Off-Net" recognition.  I NEED to make sure laptops going off campus can not disable Forticlient. Can the Fortigate DHCP service run parallel to the Microsoft AD-DHCP in a limited fashion just for remote clients? 

Top Kudoed Authors