One of our recent customers were looking for a secure and flexible remote access solution that provided them with a like for like experience whether connecting via their own LAN or a mobile hotspot. Having reviewed a number of technologies and options, we progressed with offerings from the Fortinet suite to meet these requirements.

We installed and configured two FortiGate 300D firewall appliances at each customer site to provide perimeter defences and client VPN termination. The onsite firewalls would perform compliance enforcement and web content-filtering when the endpoints were ‘On Net’.

Next came the configuration & deployment of FortiClient on the Windows 10 end-user devices to provide a software-based perimeter defence capability for web content-filtering whilst ‘Off Net’ by using a split tunnel configuration with an Always On VPN for corporate network connectivity, leveraging device based certificate authentication.

FortiClientEMS was deployed to manage the FortiClient instances, allowing the customer to maintain client configuration globally from a central platform. FortiClient was configured to register with the EMS automatically as part of the build, this resulted in all new end-user devices being registered and configured automatically.

We leveraged the FortiClientEMS management of FortiClient to configure the application firewall and schedule vulnerability scans. FortiClient is also able to provide Antivirus for the endpoints, however we selected to use Windows Defender. We enabled compliance enforcement on the Fortigate and configured it to check for the Windows Defender definitions, this was due to limited integration with the Windows native Antivirus status reporting (now resolved in a subsequent update).

User Experience

The end-user experience with FortiClient and FortiClientEMS was extremely good, with stability of the VPN and ease of use being some of the most regular feedback we received. The VPN was configured to use device based certificates as well as the users AD credentials to provide additional security. By using the FortiClient auto-connect feature, users were automatically connected to the VPN when going ‘OffNet’ which worked seamlessly and was very well received.