Fortinet black logo

Handbook

Registration over a VPN

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:477286
Download PDF

Registration over a VPN

FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel-mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser are redirected to a captive portal to download and install the FortiClient software.

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

To enable endpoint registration while configuring the VPN
  • Enable Allow Endpoint Registration on the Policy & Routing page of the VPN Wizard when creating the FortiClient VPN.

note icon

This is only available when Template Type is set to Remote Access with a FortiClient Remote Device Type.

To enable endpoint registration on an existing VPN
  1. Go to Network > Interfaces and edit the VPN's tunnel interface. The tunnel is a virtual interface under the physical network interface.
  2. In Admission Control, enable FortiClient Telemetry. Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.
  3. Select OK.

Endpoint registration on an SSL-VPN

To enable endpoint registration on the SSL-VPN
  1. Go to VPN > SSL-VPN Settings.
  2. In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.
  3. Select Apply.
  4. Go to Network > Interfaces and edit the ssl.root interface.
  5. In Admission Control, enable FortiTelemetry. Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.
  6. Select OK.

This procedure does not include all settings needed to configure a working SSL-VPN.

Synchronizing endpoint registrations

To support roaming users in a network with multiple FortiGate units, you need to configure synchronization of the endpoint registration databases between the units. The registered endpoints are then recognized on all of the FortiGate units. This is configured in the CLI. For example, to synchronize this FortiGate unit’s registered endpoint database with another unit named other1 at IP address 172.20.120.4, enter:

config endpoint-control forticlient-registration-sync

edit other1

set peer-ip 172.20.120.4

end

Registration over a VPN

FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel-mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser are redirected to a captive portal to download and install the FortiClient software.

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

To enable endpoint registration while configuring the VPN
  • Enable Allow Endpoint Registration on the Policy & Routing page of the VPN Wizard when creating the FortiClient VPN.

note icon

This is only available when Template Type is set to Remote Access with a FortiClient Remote Device Type.

To enable endpoint registration on an existing VPN
  1. Go to Network > Interfaces and edit the VPN's tunnel interface. The tunnel is a virtual interface under the physical network interface.
  2. In Admission Control, enable FortiClient Telemetry. Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.
  3. Select OK.

Endpoint registration on an SSL-VPN

To enable endpoint registration on the SSL-VPN
  1. Go to VPN > SSL-VPN Settings.
  2. In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.
  3. Select Apply.
  4. Go to Network > Interfaces and edit the ssl.root interface.
  5. In Admission Control, enable FortiTelemetry. Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.
  6. Select OK.

This procedure does not include all settings needed to configure a working SSL-VPN.

Synchronizing endpoint registrations

To support roaming users in a network with multiple FortiGate units, you need to configure synchronization of the endpoint registration databases between the units. The registered endpoints are then recognized on all of the FortiGate units. This is configured in the CLI. For example, to synchronize this FortiGate unit’s registered endpoint database with another unit named other1 at IP address 172.20.120.4, enter:

config endpoint-control forticlient-registration-sync

edit other1

set peer-ip 172.20.120.4

end