Forticlient 6.2 - Enable VPN before logon - Missing
I recently upgraded my Fortigate to Firmware 6.2. The first thing I noticed was that my older 6.0.4 Forticlient version would no longer connect using its IPSEC VPN profile. After a call with Fortinet support they concluded that only new Forticlient version 6.2 would work with FG 6.2 This indeed does seem to be the case.
This gets me to my current issue: The “Enable VPN before logon” option has been removed from 6.2. This setting is a major ‘bread and butter’ setting enabling remote users to do proper domain logins from remote and apply Group Polices etc. I raised this with Fortinet support who confirmed the feature had been removed:
I would like to mention that starting with FCT 6.2.0 many things has changed, Free Forticlient 6.2.0 comes up with basic and limited VPN functionality and if you want to use full functionality of 6.2.0, EMS licenses has to be procured. Please refer below FCT compatibility guide for your reference . https://fortinetweb.s3.am...bility-chart.pdf
and that was final and to get in contact with Fortinet Sales
Note: I use the free license for Forticlient just needing to use VPN functionality.
I have been desperately been trying to figure out alternatives such as:
L2TP Windows native – This works with enable before logon but has limitations as well as FG authentication issues meaning users don’t get authenticated to IPv4 polices – Ongoing ticket with Fortinet support
A 3rd Party VPN client connecting to FG via SSL VPN – I thought I could get OpenVPN client connecting but this doesn’t appear to work
I have now gone full circle and re-investigating the Forticlient. I noticed when backing up the config and opening with notepad++ there is an option <show_vpn_before_logon>. If I change this to “1” and then import the config, this doesn’t appear to take any effect on the Forticlient/Windows shell config.
It appears Fortinet have done everything in their power to make the free version useless.
Am I flogging a dead horse? I just can’t believe removing this Windows logon feature wouldn’t cause a major backlash from Forticlient customer base? If I have no alternative than to spend more money, what is the minimum product/license I need to purchase?
I discovered that the Before Logon problem appears at version 6.0.10 precisely.
If you install 6.0.9, it's still working.
But seriously Fortinet ... are you really removing this basic feature ? You will lose a lot of customer by doing that because we are clearly not gonna buy licenses only for this feature, we will focus on choosing a VPN Concentrator to resolve this instead of buying your FortiEMS licenses when we dont need that much.
Fortinet equipments are cheap and today we are starting to know why. Once they have a good portion of the market, now they are beginning to force us to pay license for basics functions.
Forticlient runs as a credential provider when you enable VPN before logon. We installed DUO security for MFA for administrator accounts and this disabled additional credential providers. I was able to whitelist the FortiClient credential provider with DUO in the registry and this restored the ability to logon to VPN before windows logon! If anyone else needs this info, here you go:
I have a weird issue with Login to VPN before Windows. About 1-2 months ago after some windows patches, we no longer see the "Sign-in Options" on the windows signin screen. I verified the version of Forticlient did not change, that enable VPN before login is enabled in Forticlient, and also tried the latest version with EMS. Still no go.
We are in a domain environment, so it is very important for us to be able to login to VPN and windows at the same time. Does anyone have any recommendations?
Here also the same. Version 6.0.10.0277 and 0297 worked fine, but for security and lots of disconnections in these versions I wanted to upgrade to a newer version like 7.0.7, but no option "vpn before logon". Only old versions has this option. After replacing the fortigate on 1-1-2022 we expect this should still work, unfortunately
it doesn't. If we had known this option is nog available we would have chosen a different brand.
Configure SSL VPN settings: Go to VPN > SSL-VPN Settings. For Listen on Interface(s), select wan1. Set Listen on Port to 10443. Optionally, set Restrict Access to Limit access to specific hosts, and specify the addresses of the hosts that are allowed to connect to this VPN. Choose a certificate for Server Certificate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.