FortiClient EMS VPN before logon doesn't show

VPN
1

Hey guys,

TL;DR at the end.

I’m pretty much at my wits end. We recently deployed a Fortigate cluster to replace some old stuff and get MFA for SSL VPN via Entra ID set up.

There was of course research and planning involved, so Fortinet EMS as cloud version was licensed.

These past days I tried setting it all up, once I’m logged into windows everything works perfectly fine… but connecting the VPN before logging into Windows, something we’d like to do for several reasons (mainly Kerberos since gpos will be phased out in favor of autopilot) just won’t work.

I tried FCT 7.0.9 and even 7.2.2 on Windows 10 and 11 on-prem AD joined, autopilot joined and even fresh out of the box as stand-alone. I did install via msi + mst. Enable vpn before logon is enabled in the EMS profile and the correct profile was deployed and is applied.

But none of those 6 machines allows me to connect to vpn before signing into windows. I don’t even get the “sign in options”… I looked at any documentation I could find and read several threads in this sub. It seems EMS should be the solution, but it just won’t work for me.

I have opened a ticket with Fortinet since it won’t even work on an untouched device fresh from the manufacturer, but maybe someone on here has some hints?

TL;DR:

-FortiClient EMS cloud licensed

-“enable vpn before login” in EMS portal is set and applied

-“sign in options” not available on several different W10/W11 devices

-don’t know what else to do

Thanks!

(the formatting options on mobile don’t like me)

2

Two things:

  1. Make sure that the regular show_vpn_before_logonoption is actually in the XML
  2. In the XML try to enable the use_legacy_vpn_before_logonoption.
3

Just found some info in another thread and installed 7.0.3… and it worked immediately. That’s… annoying.

4

saml auth not supported for vpn before logon

5

SAML login? What OS version is the FortiGate running? There’s a new feature on FortiOS 7.2 that would allow for it but not on prior.

6

Same issue here. FortiEMS version 7.0.9 and FortClient version 7.0.9. SAML Login.

FortiGate running 6.4.13.

FortiNet TAC has told us it will be resolved in 7.0.10 which will be released in a couple of hours.

Let’s see tomorrow if it works…

BTW

We use these settings and they should work according to FortiNet TAC:

show_vpn_before_logon is enabled.

use_legacy_vpn_before_logon is disabled.

7

7.0.10 just got released. Let’s see if it works now. Or if something else breaks…

8
  1. Is in the xml.
  2. Didn’t change anything, even after reinstall.
9

what was it lol;

for time travelleres, so yeah 7.0.13 is fucked, dropped external browser saml and went down to 7.0.3 that works as expected, saml on desktop but normal SBL on login screen. with that should be officially supported for ems 7.2.x. also no clue how fortinet plans on implementing saml on sbl, probably a pipe dream.

10

Yes, SAML and FortiOS 7.0.13. But from my understanding that shouldn’t influence whether the vpn shows up before logon or not?

11

If you want to use Start Before Logon with SAML you have to wait for FortiClient 7.4.0. It not’s supported yet unfortunately.

12

Sadly no new version available for me. Did you make any progress?

I just got it working with version 7.0.3 but after updating to 7.0.9 it disappeared. Now I’m waiting for a new version as well…

13

Doesn’t work for me, how about you?

14

Not really. When I create a custom/personal connection on the PC it shows up. But not my other profiles.

All my production profiles use SAML. Could it be that authentication methods not supported are not showing up at the Windows login screen? I could see them when we used 6.4.9 but not in 7.0.

15

Our vpn interface has a few local users configured besides the saml-group. Vpn before logon works for those, but as another commenter hinted, you can only do saml on logon on fortiOS 7.2, but not before. Still, the pre-logon vpn is present on 7.0.3 but disappears on 7.0.10.

I guess we’ll have to live with that for now. Not perfect, but not the worst either.

16

7.2

So you mean if I use FortiOS 7.2 and FortiClient 7.0.10, SBL will work with SAML?

17

According to this, since 7.0.7, although I wouldn’t consider it SBL, more like SOL?

Once 7.2.1+ becomes mature, I’ll give it a try. For now, manually establishing the vpn after logon works fine for us, since the devices are AAD only joined and receive the Kerberos ticket pretty much as soon as the user connects to vpn.

18

When testing 7.0.10 I noticed that FortiClient automatically logs me in when I click SAML login. It doesn’t ask for password or MFA?

Does the same happen to you?

19

That already worked on 7.0.3 if you checked the “keep me signed in” box. The frequency of MFA challenges needs to be configured through conditional access policies in Entra.