A remote client should be registered to and managed by EMS to obtain the VPN remote access profile for connecting to the VPN. Therefore, a firewall policy must allow access to the EMS server.
You must configure a Remote Access profile in EMS to allow VPN prelogon. The first example creates a tunnel with configurations for enabling VPN prelogon with machine certificate. Users can select FortiClient VPN on the Windows logon page.
The next example takes it one step further and enables Windows to automatically connect to the tunnel on startup.