Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Ok so all you need to do is have a scope on your 2008R2 server with the option 224 hex value for when the client in on the LAN. Then you need to create a scope if you have not already on the fortigate for the remote VPN users. The option for FortiClient on-net status needs to be checked as you pointed out. There shouldn't be any issues with multiple DHCP sources. We have our 2008R2 DHCP sending out the option for LAN users. We also have our Juniper SA appliances sending out the option for remote users, as the Juniper SA appliances handle DHCP for remote.
Let me know if this helps.
Thanks
terry_jjr wrote:So I configured a predifined option on our 200R2 DHCP server IPv4 as follows: name - forticlient status, data type - String, code - 224, no description. Clicked OK and then added the HEX string in which I got by converting the serial number to HEX here http://www.asciitohex.com/ I then configured the new DHCP option on the single scope and I am testing now.
I did not need to convert to hex when using 2008 R2 DHCP. I took the Fortigate serial as-is and entered it directly into option 224 (string data type). Using Wireshark, I was able to see option 224 returned as hex in response to DHCP INFORM packets from the clients.
I just did some wireshark sniffing on the DHCP client on the internal network and I couldn't see option 224 coming from the DHCP server. I am wondering if my settings are correct. I can all the other standard options in the wireshark file. Do my settings look correct on the DHCP server?
The on-net/off-net status option is not available in the VPN configuration. I am only able to specify the range the fortigate will give the clients and nothing more :(
It appears that there is a growing demand for a feature to support 3rd party DHCP based on customer feedback.
The more people that ask for this, the faster it will be delivered.
I see. I have not dealt with the SSLVPN configuration on the fortigate, as we utilize Juniper. Is it causing any issues having the FortiClient think that it is off-net when you are connected over SSLVPN?
We've tried the option 224 in a windows 2008 enviroment. With windows 7 clients. This seems to work perfect. But the apple users with Forticlient doesn't show up on-net when they are in the same segment as the other windows 7 clients.
I am new to Forti-ALL We have just purchased a 100e Fortigate V5.4. I want to employ FortiClient across our campus but must see it in action working as needed before I can buck the 3ed party support that sold us the Fortigate as they are pushing something else. My background 6 years removed was Novell but I'm working this MS Server 2008 environment now that provides DHCP from the server. I see 5.4 requires DHCP running on the Fortigate to provide "On-Net / Off-Net" recognition. I NEED to make sure laptops going off campus can not disable Forticlient. Can the Fortigate DHCP service run parallel to the Microsoft AD-DHCP in a limited fashion just for remote clients?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.