My customer’s main VPN system uses SSLVPN with FortiClient. There are around 1.5k simultaneous users on a daily bases and everything works flawlessly. The FortiGate is a 600E so it packs more than enough in order to deal with all the users.
As for features we don’t use a ton, FortiClient only has the VPN module activated (some with FSSO as well), in the SSLVPN configuration the only a bit uncommon thing is that we perform a Certificate pre-authentication.
It all started with version 6.0 three years ago now all FG, FortiEMS & FortiClient are on 6.4, latest firmware/app version. Now we are looking to upgrade to 7.0 and use SAML authentication with AzureAD.
The SSLVPN solution got us through the COVID crisis and got heavily used and is still heavily used right now as the company policies towards home working evolved as well.
My customer has some 24/7 activities and overall the SLA have been outstanding for this service. Outages on the VPN service happened but they were unrelated to the FortiGate / FortiClient / FortiEMS.
This is so far a success story for my customer !
On the other side, I’m quite unhappy with the product (FortiEMS & FortiClient) and this is the other side of the story:
My first rant is that FortiEMS is now needed. Before FortiEMS (version 6.0) I happily used the free version of FortiClient as we only needed SSLVPN. I knew it came with no support and I was quite happy with how I was able to generate the msi with the SSLVPN configuration imbedded inside. It was a very cost effective VPN solution with minimal effort.
I had to convince my customer that starting from 6.2 they had to pay for FortiEMS, which, gave them more features and access to support for FortiClients problems, that were previously dealt internally.
No features were needed as they already had other products for antivirus/malware, web filtering and so on. Partly because, those features were not even wanted to begin with, my customer only needed a VPN solution. Partly because of large organization segregations of responsibilities: the network team had to provide a VPN solution and nothing more, not an antivirus,antimalware one, and the other teams weren’t keen to try out a product that was pushed forward from the network team… In the end, FortiEMS is only used to generate msi packages…
My second rant is about the support with FortiClient issues. Now that there is a license for FortiClients/FortiEMS I’m able to create cases. Oh boy what a bad experience so far. Fortinet’s support, is in my opinion quite descent compared to other brands I know of. But when dealing with FortiClients… that’s another story.
I would consider the support on FortiClient cases to be the worst experience I had with Fortinet’s support.
> Issue with certificate pre-auth after upgrading Win 10 1909 to 21h2 > just figure it out yourself: 4 cases, 2 of them still open, 1 of them has a “bug fixing” status but I suppose it is that way because I demanded escalation too many times and thus, they just gave up and put that into some random bug. In the end, it seems to be related to the TPM chip on certain devices with FortiClient not being able to get the private key of the certificate with Microsoft TPM crypto provider…
>>> I agree that this case is not directly related to FortiClient but it infuriates me that clues were only partially provided and to get those I had to insist multiple times and ask escalations.
>>> Some of our endpoints are still in version 1909 of windows because of this case and have therefore a retired end of support version of windows since beginning of this month.
>>> Leads us in accelerating our move to SAML authentication and get rid of certificate pre-auth (BTW, the two of them do not work together, you need to configure another vdom if you wish to have them side by side, it’s a technical limitation, no rant/sarcasm here)
> Issue with the save password feature ? Also, figure out yourself. Case still on bug fixing after more than 6 months with no updates.
>>> The “€” sign corrupts the encrypted saved password and is unable.
>>> How professional it is to need to explain to end users not to use the € sign in their passwords ?
> Issue with FortiClient not being able to establish the tunnel with SAML authentication after the authentication was correctly made ? Figure this out yourself. After some tests it appears that version 7.0 works, 6.4 not in our configuration. Don’t know why and the only answer I got from the support is: workaround provided (by myself that is) and just upgrade to 7.0.
>>> Leads us to the decision to upgrade to version 7.0 and thus next case
> Issue upgrading FortiEMS 6.4.7 to 7.0.4 does not upgrade the syntax of the profiles correctly leading to unusable profiles and installers ? This time the provided support was good ! Fun fact: there is a known bug with upgrading 6.4.7 to 6.4.8, after telling us this, the supports asks us to try upgrading to 6.4.8 then 7.0.4, ok…
So, on the surface, FortiClient VPN solution is a huge success ! In the shadows I really struggle with it. I wanted to share my frustration and see if I was alone or not.