Forticlient SSLVPN is there a better solution?

Our Fourticlient subscription is running out and I’m doing some considerations if there are better solutions.
I like the Idea of the EMS but it‘s well known that EMS and Forticlient aren’t fortinets best products.

We had a lot of issues with forticlient over the last years, it’s super slow and updates are absolute pain for remote users.

Does anybody have a better and manageable solution for client vpn?

Just in short: we use the Forticlient from the Windows Store and a pushed config to the clients for the native Windows 10 VPN settings. Works like a charm for around 500 clients. All done via software deployment.

I just wish they would just get rid of that dumb “free version banner” within the the FortiClientVPN. This information for the end user is pointless and just annoying as they will never be upgrading to the “full version” on their own. If you want to keep it in the about page then fine.

I mean EMS is so much more than just VPN. I really like the idea of telemetry and ZTA, vulnerability scanning, ZTNA and web filtering when working remotely so without attacking someone here….if you are only using EMS for VPN then you are missing the point.

Have a great weekend folks

As someone said, Fortinet revised their licensing now where you can just get the VPN with EMS. Our part number was FC1-10-EMS05-428-01-12. That’s 1yr, 50 clients.

EMS works well. What sucks is the clients speed. I have people getting 1/3 of your usable ISP bandwidth. Havent found a solution why.

BTW, we switched from AnyConnect because we changed to Fortigate firewalls. AC was really good. Didn’t want to pay the $$ for new Ciscos.

We build Forti sslvpn and Cisco Anyconnect. The Cisco solution causes much less problems and calls to help desk.

OP, I was under the impression that you can only have a subscription for FortiClient if you had a EMS license . When you say your Forticlient subscription is running out , does that mean that you had a subscription for VPN only ?

I use the native Windows 10-11 VPN client in IPsec VPN mode, and authenticate on AD with the Radius Service.

erm, your VPN will still work without the subscription

For Linux/MAC I think OpeForti is better option so far in our environment.

Could you elaborate on the “for the native Windows 10 VPN settings”? Possibly drop a link?

Wondering if you considered using the native Windows 10 VPN client only (thus L2TP over IPSec) as opposed to the FortiClient Windows Store app?

u/uneinverleibbar: does this use DTLS option?

Is your default SSL VPN port 1723 (seems like this is the default the VPN uses) in that case or are you port forwarding it?

I can’t seem to find out how you can change the port in the Windows 10/11 VPN settings.

Edit: Nvm, I figured it out.The server address has to look something like this:

https://[servername):[portnumber]

or if you want to ignore invalid/missing certificate:

https://[servername):[portnumber]?ice=1

Although I’m having difficulties with it saving the credentials and also being able to connect through the action center and not only when I click connect in the settings… Any ideas?

you got me feeling like a user withholding half the info. We also have defender for endpoint so vulnerability scan and webfilter would be covered. ZTNA isn’t used so the only thing I would really miss is the vpn client and it’s config management.

Try turning on ‘Preferred DTLS tunnel’ in the client settings. It makes a huge difference to speed and is off by default.

Cisco AnyConnect is great and one of the best out there. The downside is you need a Cisco Firepower/Cisco Secure Firewall appliance (or VM) running ASA firmware to use it - the AnyConnect implementation in Meraki MX is a feature deficient joke in comparison.

The reason it’s an issue is Cisco forces their Smart License program on everything, and Smart Licensing really is a PITA to work with.

Can you elaborate on the MS Always on vpn . Is this for Azure and Azure joined devices or cloud work on perm as well ?

Sorry wasn’t concrete about our license. No we have the licence with EMS, AV, Webfilter… also used it as our AV but our last Pentest showed the bad detection rate. Now it’s primarily used for vpn.

EMS gives you the bells and whistles. You can still use forticlient (vpn only version) without a license