I am running 5.2 on a 60C, with FortiClient 5.2.1 on all clients, all of which are " on-net" . However, on the 60C, all of the clients show up as " off-net" . Is there something that I need to do in order to make them register properly?
Quick update - AFter getting the suggestion earlier in this thread I setup Option 224 in my DHCP server (Windows 2012 server) to send a single valued string attribute with the serial number of the registered fortigate and on-net/off-net works as I wanted it to.
In defense of TAC: this is not a published, documented or supported method of making this work so YMMV.
Ok so all you need to do is have a scope on your 2008R2 server with the option 224 hex value for when the client in on the LAN. Then you need to create a scope if you have not already on the fortigate for the remote VPN users. The option for FortiClient on-net status needs to be checked as you pointed out. There shouldn't be any issues with multiple DHCP sources. We have our 2008R2 DHCP sending out the option for LAN users. We also have our Juniper SA appliances sending out the option for remote users, as the Juniper SA appliances handle DHCP for remote.
So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description. Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/ I then configured the new DHCP option on the single scope and I am testing now.
I did not need to convert to hex when using 2008 R2 DHCP. I took the Fortigate serial as-is and entered it directly into option 224 (string data type). Using Wireshark, I was able to see option 224 returned as hex in response to DHCP INFORM packets from the clients.
I just did some wireshark sniffing on the DHCP client on the internal network and I couldn't see option 224 coming from the DHCP server. I am wondering if my settings are correct. I can all the other standard options in the wireshark file. Do my settings look correct on the DHCP server?
I see. I have not dealt with the SSLVPN configuration on the fortigate, as we utilize Juniper. Is it causing any issues having the FortiClient think that it is off-net when you are connected over SSLVPN?
We've tried the option 224 in a windows 2008 enviroment. With windows 7 clients. This seems to work perfect. But the apple users with Forticlient doesn't show up on-net when they are in the same segment as the other windows 7 clients.
I am new to Forti-ALL We have just purchased a 100e Fortigate V5.4. I want to employ FortiClient across our campus but must see it in action working as needed before I can buck the 3ed party support that sold us the Fortigate as they are pushing something else. My background 6 years removed was Novell but I'm working this MS Server 2008 environment now that provides DHCP from the server. I see 5.4 requires DHCP running on the Fortigate to provide "On-Net / Off-Net" recognition. I NEED to make sure laptops going off campus can not disable Forticlient. Can the Fortigate DHCP service run parallel to the Microsoft AD-DHCP in a limited fashion just for remote clients?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.