FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
rsingla
Staff
Staff

Description

FortiClient installed on Windows Server (Windows Server 2008, 2012, 2016 and other Older or Newer versions) cannot connect to SSL VPN if host-check is enabled under host check policy as shown below:
#config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set host-check av-fw <---
        set save-password enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling disable
    next

Scope
FortiClient installed on Windows Server (Windows Server 2008, 2012, 2016 and other Older or Newer versions) can not connect to SSL VPN if "config vpn ssl web portal" has option "host-check" enabled.
 
The connection will fail around 45% with error.

A Warning is issued to the client:
'Your PC does not meet the host checking requirements set by the firewall. Please check that your OS version or antivirus and firewall applications are installed and running properly or you have the right network interface.  (-455)'
 
Host_Integrity_Check_Error.jpg
This is because FortiClient SSLVPN uses WMI namespace "\root\SecurityCenter2" or Win32API WscGetSecurityProviderHealth() to check AntiVirus product health status.

Security Center is the only accurate technique to query Windows for the state of 3rd party AV/FW products.


Unfortunately, this namespace and API are not available on Windows Server platform, but they are only available on regular Windows OS like Win7, Win 10 etc.


This is the reason host-check failure happens when host-check is enabled and FortiClient on Windows Server tries to connect to the SSL VPN.


Solution

If Host-Check is mandatory for any customer environment, use Windows OS platforms like Win7, Win 10 etc.
 
To verify if Windows OS has WMI namespace "\root\SecurityCenter2" and can support FortiClient Host-Check or not, use the Run prompt (Windows Key + R) to get started and type wbemtest.exe.
guid1.jpg
 
The Windows Management Instrumentation Tester window will show up.
Click on 'Connect' and type in root\securitycenter2 and click 'Connect' again.

If error "Invalid namespace" show up, it means this Windows Server/OS does not support the required namespace to detect the installed AV and hence can not assist with the Host-Check by FortiClient.
guid3.jpg
If no error shows up, Click on 'Enum Classes' and then click 'OK'.
guid4.jpg
Double click on 'AntiVirusProduct'
If 'AntiVirusProduct' is not visible, again it means the Win OS can not detect the installed AV and hence can not assist with the Host-Check by FortiClient.
 
guid5.jpg

 

Related Articles

Technical Tip: Adding custom host check definitions for FortiGate SSL VPN host check feature

Technical Note: How to add non listed 3rd Party AntiVirus and Firewall product to the FortiGate SSL ...

Contributors