Fortinet black logo

Administration Guide

Configuring VPN to automatically connect before logon

Configuring VPN to automatically connect before logon

To configure VPN to automatically connect before logon:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Clone the Machine-VPN profile.
  3. Name the new profile Machine-VPN-with-auto-pre-logon.
  4. Click Save.
  5. In XML view, click Edit.
  6. Locate the machine-cert-vpn connection.
  7. Modify the name to machine-cert-vpn-auto.
  8. Locate the <certificate/> element, and make the following modifications:

    <certificate> <common_name> <match_type>wildcard</match_type> <pattern>WIN10*</pattern> </common_name> <issuer> <match_type>simple</match_type> <pattern>fortiad-WIN-EMS-CA</pattern> </issuer> </certificate>

    The common_name element uses wildcard matching to identify a machine certificate with CN matching WIN10*. The issuer element matches a machine certificate that the fortiad-WIN-EMS-CA certificate authority issued. Replace these with the appropriate patterns for your organization.

  9. Under global VPN options, locate the <on_os_start_connect/> element and modify as follows:

    <on_os_start_connect>machine-cert-vpn-auto</on_os_start_connect>

To apply the Remote Access profile to an endpoint policy:
  1. From Endpoint Policy & Components > Manage Policies, select the policy that is being applied to your endpoint, and click Edit.
  2. Under Profile, change the VPN selection to Machine-VPN-with-auto-pre-logon.
  3. Click Save.

Configuring VPN to automatically connect before logon

To configure VPN to automatically connect before logon:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Clone the Machine-VPN profile.
  3. Name the new profile Machine-VPN-with-auto-pre-logon.
  4. Click Save.
  5. In XML view, click Edit.
  6. Locate the machine-cert-vpn connection.
  7. Modify the name to machine-cert-vpn-auto.
  8. Locate the <certificate/> element, and make the following modifications:

    <certificate> <common_name> <match_type>wildcard</match_type> <pattern>WIN10*</pattern> </common_name> <issuer> <match_type>simple</match_type> <pattern>fortiad-WIN-EMS-CA</pattern> </issuer> </certificate>

    The common_name element uses wildcard matching to identify a machine certificate with CN matching WIN10*. The issuer element matches a machine certificate that the fortiad-WIN-EMS-CA certificate authority issued. Replace these with the appropriate patterns for your organization.

  9. Under global VPN options, locate the <on_os_start_connect/> element and modify as follows:

    <on_os_start_connect>machine-cert-vpn-auto</on_os_start_connect>

To apply the Remote Access profile to an endpoint policy:
  1. From Endpoint Policy & Components > Manage Policies, select the policy that is being applied to your endpoint, and click Edit.
  2. Under Profile, change the VPN selection to Machine-VPN-with-auto-pre-logon.
  3. Click Save.