Fortinet black logo

EMS Administration Guide

Per-machine prelogon VPN connection without user interaction

Per-machine prelogon VPN connection without user interaction

You can configure per-machine SSL and IPsec VPN tunnels that connect before user logon without user interaction using XML configuration. The following describes the XML tags required:

XML tag

Description

Default value

<show_vpn_before_logon>

Show VPN before logon tile when logging in to Windows. Per-machine autoconnect depends on this tag being enabled to work.

Boolean: [1|0]

1

<on_os_start_connect>

Enter the tunnel name for VPN to connect to when the OS starts. For per-machine autoconnect to work, you must define a tunnel as the tunnel for per-machine autoconnect. See the <machine> tag.

<on_os_start_connect_has_priority>

When per-user and per-machine autoconnect configurations both exist, the following occurs:

  • If this tag is set to 1, the per-machine autoconnect configuration remains connected.
  • If this tag is set to 0, after logging into Windows, the per-machine autoconnect configuration drops, and the per-user autoconnect configuration connects.

1

<machine>

Enabling this tag indicates that FortiClient should use this tunnel for per-machine autoconnect. This tag must be enabled for per-machine autoconnect to start to connect.

Boolean: [1|0]

0

<username>

Enter the remote gateway authentication username if xAuth is enabled. If using public key infrastructure (PKI) authentication, do not configure this tag.

<password>

Enter the password for the remote gateway authentication username if xAuth is enabled. If using PKI authentication, do not configure this tag.

<keep_running>

When this tag is enabled and the network status changes from up to down to up again, the tunnel autoconnects when the network status is up again. This tag applies whether before or after logging in to Windows.

Boolean: [1|0]

0

The following show example XML configurations for SSL and IPsec VPN for per-machine autoconnect. Elements of note have been bolded for emphasis. Both examples are balanced but incomplete XML configuration fragments. The fragments include all closing tags, but omits some important elements to complete the configuration.

SSL VPN example

<vpn>

<options>

<on_os_start_connect>myfgt-ssl</on_os_start_connect>

<show_vpn_before_logon>1</show_vpn_before_logon>

<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

</options>

<sslvpn>

<options>

<enabled>1</enabled>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

</options>

<connections>

<connection>

<name>myfgt-ssl</name>

<description />

<server>172.17.61.39:10439</server>

<ui>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

<show_remember_password>1</show_remember_password>

</ui>

<machine>1</machine>

<password>11111111</password>

<username>t1</username>

<keep_running>0</keep_running >

<certificate>

<common_name>

<match_type>simple</match_type>

<pattern>

<![CDATA[ems.loc]]>

</pattern>

</common_name>

<issuer>

<match_type>simple</match_type>

<pattern>

<![CDATA[L4RTP-AD4-EMS-LAB-CA]]>

</pattern>

</issuer>

</certificate>

<warn_invalid_server_certificate>0</warn_invalid_server_certificate>

<prompt_certificate>1</prompt_certificate>

<prompt_username>1</prompt_username>

</connection>

</connections>

</sslvpn>

</vpn>

IPsec VPN example

<ipsecvpn>

<connections>

<connection>

<name>myfgt-ipsec</name>

<type>manual</type>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<show_passcode>0</show_passcode>

<save_username>0</save_username>

</ui>

<ike_settings>

<server>fgt28.com</server>

<authentication_method>System Store X509 Certificate</authentication_method>

<fgt>1</fgt>

<prompt_certificate>1</prompt_certificate>

<xauth_timeout>120</xauth_timeout>

<xauth>

<use_otp>0</use_otp>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>t1</username>

<password>1</password>

</xauth>

<run_fcauth_system>1</run_fcauth_system>

<auth_data>

<certificate>

<common_name>

<match_type>wildcard</match_type>

<pattern>*</pattern>

</common_name>

<issuer>

<match_type>simple</match_type>

<pattern>L4RTP-AD4-EMS-LABCA</pattern>

</issuer>

</certificate>

</auth_data>

</ike_settings>

<ipsec_settings>

</ipsec_settings>

<host_check_fail_warning></host_check_fail_warning>

<keep_running>0</keep_running>

<machine>1</machine>

</connection>

</connections>

</ipsecvpn>

Use cases

In addition to per-machine autoconnect VPN tunnels, you can also configure per-user autoconnect VPN tunnels. The following describes the expected behavior for different scenarios involving these VPN tunnels:

Scenario

Behavior

Only a per-user autoconnect tunnel with <keep_running> disabled is configured.

  • The per-user tunnel only connects after the user logs in to the device.
  • The per-user tunnel does not disconnect unless the user manually disconnects it.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

Only a per-user autoconnect tunnel with <keep_running> enabled is configured.

  • The per-user tunnel only connects after the user logs in to the device.
  • The per-user tunnel does not disconnect.
  • When the device disconnects from the network, the per-user tunnel disconnects.
  • When the device reconnects to the network, the per-user tunnel reconnects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

Only a per-machine autoconnect tunnel with <keep_running> disabled is configured.

  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
  • When the device disconnects from the network, the per-machine tunnel disconnects.
  • When the device reconnects to the network, the per-machine tunnel reconnects.
  • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

Only a per-machine autoconnect tunnel with <keep_running> enabled is configured.

  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
  • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

The following tunnels are configured:

  • A per-machine autoconnect tunnel with <keep_running> disabled
  • A per-user autoconnect tunnel with:
    • <keep_running> disabled
    • <show_remember_password> enabled
    • <show_autoconnect> enabled
  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

The following tunnels are configured:

  • A per-machine autoconnect tunnel with <keep_running> enabled
  • A per-user autoconnect tunnel with <keep_running> enabled
  • The per-machine tunnel connects beforethe user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
  • When the device disconnects from the network, the per-user tunnel disconnects.
  • When the device reconnects to the network, the per-user tunnel reconnects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

This document does not intend to cover all possible VPN tunnel configuration combinations.

Per-machine prelogon VPN connection without user interaction

You can configure per-machine SSL and IPsec VPN tunnels that connect before user logon without user interaction using XML configuration. The following describes the XML tags required:

XML tag

Description

Default value

<show_vpn_before_logon>

Show VPN before logon tile when logging in to Windows. Per-machine autoconnect depends on this tag being enabled to work.

Boolean: [1|0]

1

<on_os_start_connect>

Enter the tunnel name for VPN to connect to when the OS starts. For per-machine autoconnect to work, you must define a tunnel as the tunnel for per-machine autoconnect. See the <machine> tag.

<on_os_start_connect_has_priority>

When per-user and per-machine autoconnect configurations both exist, the following occurs:

  • If this tag is set to 1, the per-machine autoconnect configuration remains connected.
  • If this tag is set to 0, after logging into Windows, the per-machine autoconnect configuration drops, and the per-user autoconnect configuration connects.

1

<machine>

Enabling this tag indicates that FortiClient should use this tunnel for per-machine autoconnect. This tag must be enabled for per-machine autoconnect to start to connect.

Boolean: [1|0]

0

<username>

Enter the remote gateway authentication username if xAuth is enabled. If using public key infrastructure (PKI) authentication, do not configure this tag.

<password>

Enter the password for the remote gateway authentication username if xAuth is enabled. If using PKI authentication, do not configure this tag.

<keep_running>

When this tag is enabled and the network status changes from up to down to up again, the tunnel autoconnects when the network status is up again. This tag applies whether before or after logging in to Windows.

Boolean: [1|0]

0

The following show example XML configurations for SSL and IPsec VPN for per-machine autoconnect. Elements of note have been bolded for emphasis. Both examples are balanced but incomplete XML configuration fragments. The fragments include all closing tags, but omits some important elements to complete the configuration.

SSL VPN example

<vpn>

<options>

<on_os_start_connect>myfgt-ssl</on_os_start_connect>

<show_vpn_before_logon>1</show_vpn_before_logon>

<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>

</options>

<sslvpn>

<options>

<enabled>1</enabled>

<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>

</options>

<connections>

<connection>

<name>myfgt-ssl</name>

<description />

<server>172.17.61.39:10439</server>

<ui>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

<show_remember_password>1</show_remember_password>

</ui>

<machine>1</machine>

<password>11111111</password>

<username>t1</username>

<keep_running>0</keep_running >

<certificate>

<common_name>

<match_type>simple</match_type>

<pattern>

<![CDATA[ems.loc]]>

</pattern>

</common_name>

<issuer>

<match_type>simple</match_type>

<pattern>

<![CDATA[L4RTP-AD4-EMS-LAB-CA]]>

</pattern>

</issuer>

</certificate>

<warn_invalid_server_certificate>0</warn_invalid_server_certificate>

<prompt_certificate>1</prompt_certificate>

<prompt_username>1</prompt_username>

</connection>

</connections>

</sslvpn>

</vpn>

IPsec VPN example

<ipsecvpn>

<connections>

<connection>

<name>myfgt-ipsec</name>

<type>manual</type>

<ui>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<show_passcode>0</show_passcode>

<save_username>0</save_username>

</ui>

<ike_settings>

<server>fgt28.com</server>

<authentication_method>System Store X509 Certificate</authentication_method>

<fgt>1</fgt>

<prompt_certificate>1</prompt_certificate>

<xauth_timeout>120</xauth_timeout>

<xauth>

<use_otp>0</use_otp>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>t1</username>

<password>1</password>

</xauth>

<run_fcauth_system>1</run_fcauth_system>

<auth_data>

<certificate>

<common_name>

<match_type>wildcard</match_type>

<pattern>*</pattern>

</common_name>

<issuer>

<match_type>simple</match_type>

<pattern>L4RTP-AD4-EMS-LABCA</pattern>

</issuer>

</certificate>

</auth_data>

</ike_settings>

<ipsec_settings>

</ipsec_settings>

<host_check_fail_warning></host_check_fail_warning>

<keep_running>0</keep_running>

<machine>1</machine>

</connection>

</connections>

</ipsecvpn>

Use cases

In addition to per-machine autoconnect VPN tunnels, you can also configure per-user autoconnect VPN tunnels. The following describes the expected behavior for different scenarios involving these VPN tunnels:

Scenario

Behavior

Only a per-user autoconnect tunnel with <keep_running> disabled is configured.

  • The per-user tunnel only connects after the user logs in to the device.
  • The per-user tunnel does not disconnect unless the user manually disconnects it.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

Only a per-user autoconnect tunnel with <keep_running> enabled is configured.

  • The per-user tunnel only connects after the user logs in to the device.
  • The per-user tunnel does not disconnect.
  • When the device disconnects from the network, the per-user tunnel disconnects.
  • When the device reconnects to the network, the per-user tunnel reconnects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

Only a per-machine autoconnect tunnel with <keep_running> disabled is configured.

  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
  • When the device disconnects from the network, the per-machine tunnel disconnects.
  • When the device reconnects to the network, the per-machine tunnel reconnects.
  • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

Only a per-machine autoconnect tunnel with <keep_running> enabled is configured.

  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel remains connected and does not disconnect.
  • When the user manually disconnects the per-machine tunnel, the tunnel does not automatically reconnect.

The following tunnels are configured:

  • A per-machine autoconnect tunnel with <keep_running> disabled
  • A per-user autoconnect tunnel with:
    • <keep_running> disabled
    • <show_remember_password> enabled
    • <show_autoconnect> enabled
  • The per-machine tunnel connects before the user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

The following tunnels are configured:

  • A per-machine autoconnect tunnel with <keep_running> enabled
  • A per-user autoconnect tunnel with <keep_running> enabled
  • The per-machine tunnel connects beforethe user logs in to the device.
  • After the user logs in to the device, the per-machine tunnel disconnects, and the per-user tunnel connects.
  • When the device disconnects from the network, the per-user tunnel disconnects.
  • When the device reconnects to the network, the per-user tunnel reconnects.
  • When the user manually disconnects the per-user tunnel, the tunnel does not automatically reconnect.

This document does not intend to cover all possible VPN tunnel configuration combinations.