My business is currently looking at Forti client on the endpoint to connect remotely to the office. We are currently using Citrix cloud to connect remotely to a shared environment and Zscaler ZPA to connect to specific app that doesn’t fit Citrix Shared app. (mainly used for consultant and external.)
As a Network admin, I’m not super keen about going with FortiClient and EMS, I’ve always had issue in the past concerning latency, crash, connection not establishing, etc… I also don’t find it to be super secure for our network. Note that I’m the only network admin ATM.
Lastly, can one man really support a VPN for 300 end users?
I’d like to know your experience & your thought about using Forti SSL VPN / ZTNA.
We moved to Forticlient w/EMS in 2019 and as the only firewall guy in my department (though we do have a few helpdesk folks) and, overall, we’ve had really good luck. We’ve got about 300 clients, mostly Windows 10 laptops, and 4 different VPN entry points in different countries. We’ve had a few issues with Macs accessing stuff, but the Windows experience has been good.
I’ve been using Fortinet SSL VPNs for about 8 or 9 years now, and FortiEMS for about 4.
Latency, crashing and failed connections are not something I can say I have acquainted with Fortinet VPNs. Certainly not to any degree that would make me wary of them.
Supporting 300 users on VPN? How many locations? What size Fortigate firewalls? What size circuits? How many of those 300 users will be concurrent? What type of apps and access do they need after connection?
I wouldn’t go out of the way to try and manage that ratio in general, but it’s not an impossible one, unless they are all doing it from hotels and all over the globe. If it’s mostly WFH, then it will not be as traumatic.
EMS in my opinion is pretty good, if you’re concerned about the maintenance of the server go with cloud.
I’ve used FortiClient for SSL VPN for the last 4 years now, been pretty reliable. Depending on how you choose to configure ZTNA (reverse proxy vs in policy ZTNA tags).
VPN for 300 end users? Should be manageable, especially if you phase them in to avoid post cut ticket surge.
SSLVPN is a tried-and-true solution for FortiGates, vulnerabilities notwithstanding. It doesn’t require EMS. If you know what your design is going to be (split/full tunnel | multi-realm or not | authentication scheme), it’s pretty easy to set up.
ZTNA is newer, and requires EMS. It’s very modular and generally considered more secure than VPNs. ZTNA is also more efficient.
The problem with supporting VPNs is that you’re going to get looped into all sorts of issues not your problem. Bad home network? VPN’s fault. Voice calls are choppy on WiFi? Your fault.
Fortigate VPN with duo as radius was horrible after the 7.0.2 update. Connections dropped even when the users internet was great. HA pair never reported a failure but acted like it. Support tried for 6 months and couldn’t get it reliable. Secondary site with a single 100F was fine. No EMS we moved to absolute secure connect in Dec and amazingly stable.
We use SSL VPN for almost 10 years with great success, no big disasters in any way.
We started using EMS more recently with mixed success but no deal-breakers.
Since last year we tried to incorporate ZTNA but that’s just a big pile of broken promises. It is almost non-functional, even in its most basic form (using tags in policies) it doesn’t always work as expected.
We just moved to FortiClient with FortiGate being new to us. Smaller deployment using the free SSL-VPN. Compared to Cisco Anyconnect, the VPN drops more and won’t reconnect automatically (unless I pay over a grand for a license). Also, SSO with Azure AD has been a nightmare. Switching between 7.0.8 and 7.2 clients and turning on and off external browsers was the four variables I had to deal with for many users. Not a happy experience. But I’m hopeful now that the initial migration experience is calming down.
We’re using FortiClient VPN for ~400 users (total, not concurrent) and it works well.
We offer both IPsec and SSLVPN options to be more flexible. Usage rate splits about 60/40 between the two. Lower the MTU of SSLVPN a bit to deal with users behind CGNAT and there’s really no big issues. I’ve seen an inexplicable connection drop here amd there but rarely.
We use FortiClient Cloud EMS because it would be ridiculous to run a whole Windows (!!!) VM just to hand out licenses to clients. It’s really unfortunate you cannot just offline-license Forticlient with the MST or commandline arguments, but being able to push the config from the cloud does have advantages too.
I am also the only network admin at my company. We are a full fortinet shop with two 400Es, EMS, and anywhere from 60 to 100 VPN users. We used the free VPN client that comes with fortigates. Spun up a FortiAuthenicator server and were rolling well from 2020 to 2022 during the pandemic. Decided to fully invest and got EMS with AV and endpoint protection with the idea to roll out ZTNA this year. So far, it has been painfully bad. Our EMS server was set up by a 3rd party that fortinet salesmen recommended. We have constant sync issues between the EMS and clients. It will should hundreds of pcs are out of sync. When the EMS decides it is going out of sync, the local web filter that it applies starts blocking known allowed sites because it can’t get the config from the ems. The only thing so far that has worked is the simple VPN connection that we have been using for 3 years. Now, the higher-ups are wanting to deploy ztna, and I have had no confidence that it will be successful. We reached out to two different vedors to see if they can help implement ztna with remote access, and both have declined if that tells you anything. These were companies that fortinet sales recommended we use. All that being said, if you are like me and have a lot to manage outside of VPN setups, I would hold off and save yourself the headache.
You need to have EMS unless you want to manually configure each endpoint. Before we had EMS, I used to build config files, and push reg files to clients to configure them. EMS shows yo the status, and allows you to change stuff on the clients, or push updates.
It works fine what will you be using for MFA? Do you have DUO or azure or something. If you are using the Foritoken app, you will need to purchase tokens for each user, and have them use the app.
Will you be sending activation tokens via the firewall? If so you will need to purchase SMS activation packs, otherwise you only get 100 SMS’s per firewall for free. The way around this is to look up the activation code in the firewall then tell the user what it is.
The fortitoken method is quite convaluted so I recommend SAML MFA or something else.
All in all, its an OK product but setting it up is FUN to say the least. You will need a support contract for the firewall and you will be calling them quite a bit at first.
I feel their VPN-ONLY solution is pretty good and easy to use. With 300 concurrent sessions, you need mid-level hardware.
But their ZTNA solution makes me nervous. Because you need to open an IP+Port for each single application you want to allow on the FortiGate. Maybe one day, there could be a security bulletin published, and all your applications could be accessed by any internet users, this is not something you want to see. For the ZTNA solutions, I still prefer those solutions with connection proxy, and then you don’t need to publish any ports on your own firewall.
We used Microsoft Endpoint Manager/ Intune to push out the clients as opposed to deployments in EMS because of AD mess, but the central profile policy management of EMS is still worthwhile. Using traditional SSL VPN and not ZTNA proxy. We are using client ZTNA tagging for on prem Firewall policy match. Only recently deployed and while we hit some bugs with 7.0.3 application firewall, and 7.0.8 web filter, I’m digging it.
I run FortiClient EMS in the cloud for both VPN & ZTNA and I think it works really well. It’s miles better than the free FortiClient IMO. It’s integration with the firewalls is pretty solid at the moment, and the ZTNA stuff seems to be getting better on the FGs as the releases keep coming.
Lastly, can one man really support a VPN for 300 end users?
I don’t know your environment, but I would say the answer is yes. The hard part with SSLVPNs is the initial roll out. Once it’s up and running you will probably be able to ignore it for the most part. If you have EMS to manage the FortiClients it will be easy for you do upgrades as well.
300 Remote Endpoints, an unknown number of servers and cloud solutions at play… for one person. The FortiGate/FortiClient is not likely to ever be your issue; although, sizing and bandwidth may well be.
The fact that your leadership has not provided you with adequate staffing for hundreds of endpoints is an actual travesty. That will directly be an issue, but doesn’t have to be your issue.
I have used their SSL VPN without any notable problem.
Recently I have also used their ZTNA function as a poc tester, so I didn’t know anything how good it is in terms of setup and policy configuration.
But their ZTNA feature is not mature and stable enough IMO. It took minutes for the first connection to go through, before you can access the app/service through ZTNA normally. Sometimes it barely works, and you get DNS resolve failure screen instead. It also often mistaken HTTPS traffic as HTTP (probably due to browser attempting to do HTTPS redirect), then its reverse proxy requests to origin using HTTP and get an error instead.
Technical wise, I believe their ZTNA outside internal network is implemented through combination of reverse proxy and NDIS network packet filter driver. So, unlike most VPN software which create a network adapter and modifying system route table, FortiClient ZTNA directly intercept traffic using the driver bound to every network adapters on the system. I think it is much difficult to troubleshoot once there’s something going wrong, because I can’t determine whether the traffic is actually going through the ZTNA tunnel/whatever they call or not.