Description
When FortiClient Enforcement is configured on an interface in FOS5.4, or within a firewall policy in 5.2, any devices and destinations that are not part of the exempt list are required to have FortiClient installed to continue accessing the network. For those clients that do not have FortiClient installed, they are presented with this default Portal* through their browsers:
The download link is by default configured to the FortiGuard server. The setting can be found under:
config endpoint-control settings
set download-location fortiguard
end
*(Note that this is a per-vdom setting)
The download-location can be changed to “custom” and a custom URL provided if another location is desirable.
Typically, the download will only retrieve the FortiClient Installer. The rest of the installation files must be downloaded when the installer is run. These files are downloaded from myforticlient.fortinet.net.
While other sites are blocked when FortiClient is not installed, the FortiGate has a mechanism to allow downloads from myforticlient.fortinet.net by storing the resolved addresses on the FortiGate.
If the FortiGate uses a different DNS server than the client’s, there is a chance that the resolved addresses do not match and subsequently the client is unable to download the installation files from myforticlient.fortinet.net.
To resolve, either:
-
Ensure that the same DNS is used on the client PC and the FortiGate, OR
- Host the full installer on an internal host, and provide the download URL as the custom download location
*Modifying the Portal:
In order to change the Portal page, go to System->Replacement Messages. Then change to Extended View. Under the Endpoint Control section, choose the corresponding device and edit the Portal html.
