Forti IPSEC Remote Access VPN with Always-On

I’m planning to set up a Remote Access VPN solution using IPsec, with client management handled via EMS. My goal is to enable always-on functionality so that the VPN connects before users log in (to support Active Directory domain authentication).

I’ve come across older posts suggesting that this setup can be clunky or unreliable, but these posts are quite dated. Is this approach now feasible?

Additionally, I understand that using certificates is typically required for VPN connections that initialize before user login. Since EMS issues certificates to FortiClients, is it possible to leverage these certificates for VPN authentication?

If anybody has done something similar recently I would be keen to hear. Or, if this is documented anywhere please could it be shared.

Thanks

Here you go:

It is possible and documented (it’s all the on_os_start_connectstuff), but it can be buggy. You need to test it in your own environment to see if it works with your versions.

You can use the EMS certificates for authentication if you want.

Thank you. How do you use the EMS certs for Auth? Is that documented anywhere? Or if you could give me some bullet points on how its achieved I’d appreciate that

It works the same way as with any other cert-based authentication. EMS just acts as a CA.

Can you give me some pointers? How do you choose EMS as the cert when setting up the VPN on the firewalls? Not done this before, cheers