Roaming clients (multiple redundant gateways)
The following figure illustrates three corporate FortiGate networks. Each FortiGate can reach each other over a WAN network. FortiClient can only reach one FortiGate at a time. FortiClient may connect directly to the FortiGate or through a NAT device.
If FortiClient connects through a NAT device to the FortiGate, do not enforce endpoint control compliance on the FortiGate.
On each of the three FortiGate devices configure the following:
l Interface IP addresses l FortiClient profile l Device identification in the interface l FortiClient profile in the applicable firewall policy l Endpoint control synchronization
Endpoint control synchronization allows you to synchronize endpoint control for multiple FortiGate devices. To enable endpoint control synchronization via the CLI enter the following commands on your FortiGate:
config endpoint-control forticlient-registration-sync edit 1 set peer-ip 172.20.52.19
next edit 2
set peer-ip 172.22.53.29
end end
Roaming clients (multiple redundant gateways)
The IP addresses set for the peer-ip field are the WAN IP addresses for each of the FortiGate devices in the synchronization group.
You need to add the following XML configuration to FortiClient for this synchronization group. Modify the configuration file to add the following:
<forticlient_configuration>
<endpoint_control>
<!– List of redundant FortiGates, since 5.0.2 –>
<fortigates>
<fortigate>
<name>Corporate Network</name>
<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses> </fortigate>
</fortigates>
</endpoint_control>
</forticlient_configuration>
The IP addresses are the internal IP addresses for each of the three FortiGates in the synchronization group. FortiClient can reach any of these IPs, one at a time.
If the three FortiGate devices share the same DNS name, use the following XML configuration:
<forticlient_configuration>
<endpoint_control>
<!– List of redundant FortiGates, since 5.0.2 –>
<fortigates>
<fortigate>
<name>Fortinet Americas</name>
<addresses>fct_americas.fortinet.com</addresses> </fortigate>
</fortigates>
</endpoint_control>
</forticlient_configuration>
The DNS server should return one reachable FortiGate IP address for the domain name used.
You will need to manually add FortiClient to the synchronization group when FortiClient initially connects with the FortiGate. Once added, no further action is required.
On your FortiGate, use the following CLI command to list all connected FortiClient endpoints:
diagnose endpoint registration list registered-forticlients FortiClient #1 (0):
UID = BE6B76C509DB4CF3A8CB942AED200000
vdom = root status = registered
registering time = Fri May 2 15:00:07 2014 registration expiry time = none source IP = 172.172.172.111 source MAC = b0:ac:6f:70:e0:a0
user = user
host OS = Microsoft Windows 7 , 64-bit
restored registration = no remote registration = yes registration FGT = FGT60C3G11000000 Total number of licences: 10
Total number of granted licenses: 1
Total number of available licences: 9
Roaming clients (multiple redundant gateways)
The remote registration entry indicates whether this specific FortiClient is connected to this FortiGate, or to another FortiGate within the synchronization group.
If any of the FortiGate devices require a password to complete connection, you can use the following XML configuration to provide password information to FortiClient:
<forticlient_configuration>
<endpoint_control>
<!– List of redundant FortiGates, since 5.0.2 –>
<fortigates>
<fortigate>
<name>Corporate Network</name>
<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses>
<registration_password>uNbre@kab1e</registration_password> </fortigate>
</fortigates>
</endpoint_control>
</forticlient_configuration>