FortiClient SSL VPN preferred method of deployment

We currently are running FortiClient ems cloud with 7.2.4 and mix of FortiClient 7.0.13 and 7.2.4. So far all of 7.2.x has been buggy as hell. Stopping some functionality like SSO or simply failing on login due to cert failure. 7.0.13 is flagged with a vulnerability that has no fix other than upgrading to 7.2.x

We recently received a test build of 7.2.4 that has fixed almost all our of issues( minus disconnect not working ) we use Azure saml and that seems to be working fine again. I guess my question is what is the defacto way to deploy SSL VPN in the enterprise. Seems the hardening guide seems to recommend IPsec vs ssl vpn.

What are most of your deployments look like and what’s the most stable for people. What version combination seems to be best. We have a fortigate 400f for reference running 7.2.8 for reference and all of our clients are windows 10 laptops.

With a new vulnerability coming every month and functionality not being consistent between updates, it really feels like we are walking a minefield. I’d love to see what other people are doing and what the most stable deployment looks like.

Have your SSL on a loopback and run IPS if your worried about vulns. Or Go IPSEC , it has support for saml as well but it’s probably buggy. I haven’t tried it yet . New in 7.2.4

I spent a day wrestling with SAML SSO on FortiClient 7.2.4, only to find out it has a bug. A downgrade to FortiClient 7.2.3 solved everything.

On net machines with deploy with MDT or GPO. Once the client is already installed, you can use the update feature from EMS

We’re running into SAML problems on a daily basis with tons of clients… High hopes for 7.2.5

I’m running 7.2.3 but not with SAML, I’m using AD with Duo.

Since only certain users need the FortiClient, I installing it via PDQ Deploy when initially setting up new laptops.

For updates, I’ve done it through the EMS server but that seems to be hit or miss so now I’m doing it through PDQ Connect.

Glad I’m not the only one struggling

Go IPsec, cuz the SSLVpn will not be an option on devices with 2GB or less then 2GB in the future.

It’s so buggy. I tried to deploy it and it’s nowhere near production ready IMHO. Documentation is crap as well.

IPS will do nothing with SSL VPN on loopback. The FortiGate will still handle the traffic as local-in, and thus not do any UTM. The only way to do this is by putting SSL VPN in a different VDOM than your internet facing interface.

Try a downgrade to 7.2.3, that solved my SAML SSO issues.

Open a ticket with Fortinet. They’ll give you the test build of 7.2.4 that fixes the SAML bug. It worked for us …

That said, when they gave the test build, the tech said 7.2.5 would include the fix and was scheduled for release in June… Obviously late now … Sigh

That’s a shame. I know you can use virtual-patching. Wish Forti would follow what Palo does here and allow you to do IPS on your listening interface loopback or not.

You can attach an IPS profile to the WAN interface itself or use virtual-patching to help with IPS.

Had a bunch of SAML issues on 7.2.3. Downgraded to 7.0.10 - havent heard from a user since.

Ok but I’woud recommend to go for ipsec. In the future Fortinet sees them patch ssl vpn instead of the “whole firewall”. But seeing recent years, with lot’s of cve’s for ssl von maybe your time is now.

Keep an eye open for the release of 7.6, it will have a lot of features relevant to this.

Would you still use the FortiClient or the built in windows vpn agent for this. As I don’t see going IPsec fixing the issue with the FortiClient vulnerabilities that I’m constantly facing.

From what I’ve heard the generally 7.0.1X is fine - I haven’t tried other than 10. I was recommended the version from a friend also in IT.
Really it was only a test-version running parallel to 7.2.3, however given the implications it had I pushed it to prod after confirming it stable.

Still use forticlient managed by EMS.