Enhancing VPN security using EMS SN verification
The EMS serial number (SN) verification feature restricts establishing a VPN connection to the FortiGate to only licensed FortiClient endpoints. The EMS SN verification is performed by the FortiGate and the feature requires that the FortiGate and FortiClient endpoints both must be connected to the same FortiClient EMS.
EMS SN verification is performed when a FortiClient user attempts to establish a VPN connection to the FortiGate. During the VPN establishment process:
-
FortiClient sends the SN of the FortiClient EMS that manages it to the FortiGate.
-
The FortiGate performs a check to confirm whether the EMS SN sent by the FortiClient corresponds to same FortiClient EMS to which the FortiGate itself is connected to.
-
The FortiGate allows the user to connect to the VPN only if the EMS SN match.
This feature prevents the free VPN-only standalone FortiClient users from connecting to VPN, thus enhancing VPN security. This setting can only be enabled from the CLI.
To enable the EMS SN verification in the CLI:
config system global set vpn-ems-sn-check {enable | disable} end
Command |
Description |
---|---|
set vpn-ems-sn-check {enable | disable} |
Enable/disable verification of EMS serial number in SSL-VPN connection. |