Installing the FortiClient on your Windows operating system, connected to the EMS system
The FortiClient EMS installer will be provided to you via the Servers Australia team within your provisioning case. Once you have recieved your FortiClient installer, you can proceed with the following steps:
Navigate to the installer file, and double-click it to start the installation process.
Accept the license agreement and click “Next”.
Select your installation directory, or leave this as default, and click “Next”.
Click “Install” to proceed:
Once the installation is completed, click “Finish”.
Connecting your FortiClient to EMS
When you open the FortiClient program, you will see that it is showing as an “UNLICENSED” version:
To resolve this, you will need to connect to an EMS via the “ZERO TRUST TELEMETERY” tab.
Refer to the created case by our Provisioning Team for access to your invitation code. This will be accessible as a case within the MySAU portal.
Once your invitation code has been entered, click the “Connect” button.
You will now see that the FortiClient is showing as connected, and “Centrally Managed by EMS”.
Configuring your FortiClient
After your installation is completed, we will need to set up the FortiClient to use the correct settings.
Open FortiClient by double-clicking the icon in your system tray.
When the GUI opens up you want to select to “Add New VPN”.
Connection configuration
A configuration box will open when completing the previous step.
We’ll need to enter your configuration here:
Connection Name: This is purely cosmetic and can be anything you choose.
Remote Gateway: This will, in most circumstances (unless there is some special configuration), be the public IP of your FortiGate firewall.
Authentication Method: Leave this as “Pre-shared key” and paste the PSK (pre-shared key) into the field below the drop-down box. The PSK would have been put in place when the IPSEC configuration was actioned.
Authentication: This can be set to “Prompt on login” or “Save Login”, depending on your use case.
An example of this first section is below, with the IP redacted for reference:
VPN Settings
We now move on to the VPN settings section, which only has two changes we need to make here:
Set this connection to use “IPsec over TCP”
Change the “IKE TCP Port” to 4500.
Refer to the screenshot below to see how yours should look:
Phase 1
For the Phase 1 settings, make the following changes:
On the first IKE proposal, we want to change the “Authentication” to match what was configured on the FortiGate firewall during setup; in this case, it is SHA256.
Ensure that the DH group is correct. This would have been configured in your original FortiGate firewall configuration. In this example DH Group 32 is selected.
Phase 2
For the Phase 2 settings, make the following changes:
Set the first “Authentication” drop-down to match what has been configured to match what was configured on the FortiGate firewall during setup. In this example, SHA256.
Ensure that the correct DH group has been selected to match what was configured on the FortiGate firewall during setup. In this example DH Group 32 is selected.
Press “Save” when your configuration matches the screenshot.
Connecting to your VPN
Now that the VPN tunnel has been configured on the FortiClient endpoint, we can connect by clicking the associated “Connect” button.
You will be prompted for the Username and Password of the FortiGate user you created during the IPSEC configuration on the FortiGate firewall..
If all prior steps were followed correctly, you will now be connected to your IPsec tunnel.
NOTE: There is a quirk with the FortiClient software, where you need to first connect and then disconnect from the tunnel before several ease-of-use features become available.
Once you have connected and subsequently disconnected, you can toggle the three highlighted features to fit your use case.