Hello, I am connecting to a customer’s server with FortiClient VPN Only(Free). However, the connection drops every 8 hours. Auto connect and always up buttons are also disabled. How can I solve this? Is there a method without the FortiClient app? With a different VPN client or RRAS?
Edit: I didn’t explain the problem properly. I have more than one customer using Fortigate and I need to be connected to these customers’ servers at the same time. What should I do in this situation? Is there a VPN client other than Forticlient that allows multiple sessions at the same time and can connect to Fortinet SSL VPN? If not, how can I perform ipsec on a server that uses Fortigate VPN from a server that does not use any extra firewall? My server company says that it is a common firewall and IPsec cannot be set on it. Is there a software solution to IPsec that I can only use on a Windows server?
Forticlient can only initiate a single VPN connection at a time.
An appropriate solution for your situation is site to site IPSEC VPN from your local firewall to multiple customers. Then you can connect to multiple customers at the same time.
Forticlient is not the right solution for you when trying to manage multiple networks like this at the same time. What exactly do you need to do on the customer servers?
Any linking of you network and other customer networks is a seriously bad idea and recipe for disaster.
You need firewall security and ipsec tunnels from highly restricted managment network. Customer side controls as well.
You have multiple problems pointing to “it can’t be done / it absolutely shouldn’t be done”.
A FortiGate can absolutely do IPsec, as can FortiClient. But it still doesn’t solve your problem because it’s still one at a time tunnels.
Even if the client could connect to multiple firewalls, how would you deal with full tunnels without split tunnel on the headend? Multiple default gateways force all the servers traffic to a single client (usually the first one that’s connected i imagine but maybe it’s the last one, or round robin’s ECMP -same as if you accidentally assign a default gateway on multiple nics on a server. )That means that IPsec tunnel #2 would be routing and originate from IPsec tunnel #1’s public IP. Now you’re daisychaining all you customer networks together. BAD!
Address overlap. And where is 10.1.1.1? It can exist at 1/3 of your customers. Almost all of my customers have the same / similar IP scheme if we get the chance to re-architect things because we’re building a new micro-segmentation scheme when we switch out a firewall at a place that came to us with a flat-ish network for example or just a mess of an IP scheme.
10.{BranchID}.{subnetID}.0/16 lives at almost every customer as their main site {siteID} with subnets {subnetID} below that. Your server won’t know the difference between 10.1.1.5 server at CustomerA and 10.1.1.5 server at CustomerB or the multifunction printer 10.1.1.5 at CustomerF.
The risk of cross-pollination of a threat. Your server gets compromised by a hacker in CustomerA, and is now a pivot point into every single one of your customers, because it has access to them all, simultaneously. You just became Patient0 in all hacks but the first, due to your lack of protection and isolation / protection of your service to Customer[B-Z]. Hopefully you only have 26 customers, so you’re only sued for damages 25 times. If you’re lucky it’s only $1M per lawsuit for damages to reputation, recovery, lost wages / productivity as the customer pays every employee on the floor to stand around and “do nothing” because the systems are down. Think back to yesterday —- how many employees around the world did nothing because Crowdstrike took their systems offline? How much $$ are airlines out! — refunded tickets, employees grounded and left in hotels when they were supposed to be on a leg that’d take them home, and customers pissed off because their flights got cancelled? Those customers may never come back to that airline, and are collecting on the “compensation policy”. How much ad revenue is Times Square out, because the screens went blank and didn’t display ads to the millions of people walking by? I’ve had customers that knew their “number” — one example was downtime = $50,000 every 30 minutes — and they’re a relatively small insurance company.
To your original question about 8 hours it disconnects — set auth-timeout in global settings defaults to 8 hours, meaning any authenticated connection (including a dialup vpn tunnel like sslvpn or IPsec client vpn) will de-authenticate and require re-authentication meaning tunnel goes down because the connection is dropped and has to be re-established) after (8 hours). You can set this up to I think the max is a week, or set to zero and it never times out (though please think this through, and it’s a customer FortiGate setting, not your end, and a global setting — so there is impacts to their infrastructure if you do this).
I know that there are older versions of the forticlient that auto connect and always up options to enabled. The newer versions require a subscription for it. I want to say version 6 is the one you want.
The only thing I can think of that might be able to help your issue with connecting to servers at multiple client sites through multiple FortiGates would be to set up ZTNA connections (paid FortiClient) so you only get access to the individual servers at each location. But that is probably not the best option.
You should not be using a VPN to connect to multiple clients. You certainly shouldn’t be using site to site as others have suggested. The exposure and risk is simply too high. There is no reason to be on a VPN.
What is your RMM? This is how you should be dealing with this. You’re solving the wrong problem.
I didn’t explain the problem properly. I have more than one customer using Fortigate and I need to be connected to these customers’ servers at the same time. What should I do in this situation? Is there a VPN client other than Forticlient that allows multiple sessions at the same time and can connect to Fortinet SSL VPN? If not, how can I perform ipsec on a server that uses Fortigate VPN from a server that does not use any extra firewall? My server company says that it is a common firewall and IPsec cannot be set on it. Is there a software solution to IPsec that I can only use on a Windows server?
Sounds like you’re running/ working for an MSP? For your safety and the safety of your customers I would strongly encourage you to never connect your customers networks together in any way shape or form. First you could be breaching privacy or other laws and second you do not know if there is a virus or hacker already in one of those networks and you’re about to open the gates for them. If you really need to do this put a fortigate in your network with VDOMs for each customer and an IPsec tunnel to their network, then you can have proper firewall policies to make sure only what you need passes, and nothing ever passes between customer networks.
For MSPs if you want to scale out like this, I say use IPsec VPN to build tunnels to each customer then have a centralised jumpbox(es) for yourselves.
Use FAC to 2FA your admins, and associate each customer with a group, and support staff needing access to customer x/y with said groups for granularity and RBAC. You can also bring FAZ/FMG/logging connectivity and TACACs for their devices, etc. back over the same links for centralise management, etc.
on a server. )That means that IPsec tunnel