Fortinet black logo

EMS Administration Guide

Remote Access

Remote Access

This topic contains descriptions of general remote access settings.

Configuration

Description

Remote Access

Enable or disable remote access.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

General

Allow Personal VPN

Allow users to create, modify, and use personal VPN configurations.

Disable Connect/Disconnect

Disable the Connect/Disconnect button when using Auto Connect with VPN.

Show VPN before Logon

Allow users to select a VPN connection before logging into the system.

Use Windows Credentials

If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

Minimize FortiClient Console on Connect

Minimize FortiClient after successfully establishing a VPN connection.

Show Connection Progress

Display information on FortiClient dashboard while establishing connections.

Suppress VPN Notifications

Block FortiClient from displaying any VPN connection or error notifications.

Use Vendor ID

Use vendor ID. Enter the vendor ID in the Vendor ID field.

Enable Secure Remote Access

FortiClient denies or allows the endpoint to connect to a VPN tunnel based on the tunnel's Host Tag configuration. See the Host Tag field description in SSL VPN and IPsec VPN.

Current Connection

Select the current VPN tunnel.

Auto Connect

Select a VPN tunnel for endpoints to automatically connect to when the end user logs into the endpoint. The end user must have established VPN connection manually at least once from FortiClient GUI.

Auto Connect Only When Off-Fabric

Autoconnect to the selected VPN tunnel only when EMS considers the endpoint off-fabric. See On-fabric Detection Rules.

Always Up Max Tries

Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

Network Lockdown

Configure network lockdown for off-fabric endpoints when they are not connected to SSL VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the Internet without restrictions. If the endpoint does not connect to SSL VPN by the end of the grace period, the endpoint cannot access LAN and the Internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions, as well as connect to VPN to regain Internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

Grace Period

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to SSL VPN can continue to access LAN and the Internet without restrictions.

Maximum Connection Attempts

Confgure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid SSL VPN credentials.

Excluded Applications

Enter the path to applications that an off-Fabric endpoint that is not connected to SSL VPN can still access.

Excluded IPs

Enter IP addresses that an off-Fabric endpoint that is not connected to SSL VPN can still access.

Related Videos

sidebar video

FortiClient SSL-VPN Pre-Logon Overview

  • 1,377 views
  • 8 months ago
sidebar video

FortiClient SSL-VPN Pre-Logon: Part 1

  • 1,310 views
  • 8 months ago
sidebar video

FortiClient SSL-VPN Pre-Logon: Part 2

  • 1,823 views
  • 8 months ago

Remote Access

This topic contains descriptions of general remote access settings.

Configuration

Description

Remote Access

Enable or disable remote access.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

General

Allow Personal VPN

Allow users to create, modify, and use personal VPN configurations.

Disable Connect/Disconnect

Disable the Connect/Disconnect button when using Auto Connect with VPN.

Show VPN before Logon

Allow users to select a VPN connection before logging into the system.

Use Windows Credentials

If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.

Minimize FortiClient Console on Connect

Minimize FortiClient after successfully establishing a VPN connection.

Show Connection Progress

Display information on FortiClient dashboard while establishing connections.

Suppress VPN Notifications

Block FortiClient from displaying any VPN connection or error notifications.

Use Vendor ID

Use vendor ID. Enter the vendor ID in the Vendor ID field.

Enable Secure Remote Access

FortiClient denies or allows the endpoint to connect to a VPN tunnel based on the tunnel's Host Tag configuration. See the Host Tag field description in SSL VPN and IPsec VPN.

Current Connection

Select the current VPN tunnel.

Auto Connect

Select a VPN tunnel for endpoints to automatically connect to when the end user logs into the endpoint. The end user must have established VPN connection manually at least once from FortiClient GUI.

Auto Connect Only When Off-Fabric

Autoconnect to the selected VPN tunnel only when EMS considers the endpoint off-fabric. See On-fabric Detection Rules.

Always Up Max Tries

Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.

Network Lockdown

Configure network lockdown for off-fabric endpoints when they are not connected to SSL VPN.

When network lockdown is configured, when an endpoint goes off-fabric, a grace period that the EMS administrator configured comes into effect. During the grace period, an endpoint can continue to access LAN and the Internet without restrictions. If the endpoint does not connect to SSL VPN by the end of the grace period, the endpoint cannot access LAN and the Internet. It can still access IP addresses and applications that the EMS administrator has configured as exceptions, as well as connect to VPN to regain Internet access. For a full tunnel VPN, LAN is only accessible if exclusive routing is disabled. The administrator configures a limited number of attempts for the end user to enter valid VPN credentials. Once the user reaches the limit, the endpoint is in network lockdown.

Grace Period

Configure a grace period in seconds during which an off-fabric endpoint that is not connected to SSL VPN can continue to access LAN and the Internet without restrictions.

Maximum Connection Attempts

Confgure the maximum number of attempts for the end user of an off-fabric endpoint to enter valid SSL VPN credentials.

Excluded Applications

Enter the path to applications that an off-Fabric endpoint that is not connected to SSL VPN can still access.

Excluded IPs

Enter IP addresses that an off-Fabric endpoint that is not connected to SSL VPN can still access.