I want VPN before logon as option for our Fortinet. But a vendor quoted me FortiClient VPN/ZTNA Agent Subscription for 25 end users $2,458.83. Is this in the ballpark I literally only want logon before VPN function.
Using SSLVPN currently
Pre-logon VPN is not supported in the free-client, I believe. You would need to use FortiClient with FortiClient-EMS to achieve this.
In terms of FortiClient-EMS, your pricing depends whether you’ve been quoted licensing for running it on the Fortinet cloud (FortiClient-EMS Cloud) or on-premises (FortiClient-EMS). The cost for the latter is far less than the former, given you’re not paying for hosting/compute.
- Cloud-hosted SKU: FC1-10-EMS05-428-01-DD
- On-premises SKU: FC1-10-EMS04-428-01-DD
(Where “DD” is replaced by the license term in months)
In terms of licensing tiers, VPN/ZTNA is cheapest. EPP/APT is the tier above it. You likely want the former.
Ref: FortiClient Ordering Guide.
As a bonus, it will make your life far easier in terms of centralised VPN tunnel management and upgrading FortiClient on endpoints. You get vulnerability reporting and web-filtering on endpoints, easier integration of logging into FortiAnalyzer, and are you in a better place to migrate to ZTNA as a replacement for SSL VPN should you wish.
Im sure that u need EMS subscription, but I don’t know if there’s an option without other stuff like ZTNA .
2.5k for 25 users? how many years?
25 user on-prem EMS sku 1yr contract is ~320$ (list)
25 user CloudEMS sku 1yr contract is ~770$ (list)
Crunching the numbers it looks like you’re going for 3yr contract with cloud EMS subscription.
If you want to get the price down - go on-prem version which will be 1/2 of the price.
We are using Windows Always On VPN terminating on our FortiGate… works quite well and is free.
I know this is not exactly what youre looking for but we had the same problem with a lot of customers that only needed pre logon vpn and fortinet let us down by not providing that function without EMS.
We deploy ipsec leveraging the windows native vpn client a lot now. You can either do eap mschapv2 against local users on the fgt or go eap-tls with user certificates (the latter needs a radius server though).
The native vpn client can do pre logon vpn without issues.
Theres KB / Docs articles about the eaptls one if you want.
I will add, if you have public/private cloud (on-premises compute) and can run a VM to support it, FortiClient-EMS v7.4 is now packaged so that it runs on Ubuntu and is also supplied as a VM-image you can deploy pre-built via OVA.
Previously you had to run EMS on Windows, so OS licensing needed to be factored in. Not to mention the fact Windows VMs tend to be heavier on resources/patching efforts, etc. than headless *nix VMs do.
Ref: Installing FortiClient EMS 7.4 | FortiClient 7.4.0 | Fortinet Document Library
Is there really any benefit to CloudEMS when you have a static IP and redundant connections to on-prem EMS?
Second this.
It doesn’t have to be Forti everything.
IPSEC ? with what auth ?
Can’t wait to migrate ours to Linux need to get the clients up to a manageable version though
It’s mostly the habits and vision that organization follows. Some are more cloud oriented, others are more locked into on-prem. Say, some gov. orgs doesn’t even consider any cloud, etc.
Eg. in your case - price is an argument probably to go on-prem to keep the cost down.
Feature wise - according to docs, both are identical. Only feature which sometimes are used - Cloud EMS doesn’t have EMS native multi-tenancy (MT is done using Fcloud OU). Realistically, ordinary customer never uses MTenancy.
Not needing to expose your EMS instance to the general Internet is a factor for some companies. Even geo-blocking can introduce risk if you’re in an overly large geographic area, accounting for the fact that there’s a near-zero chance ALL users will have a static IP.
Not needing to maintain your own VM infrastructure is another draw for some companies too. I can name more than a few that only consume SaaS and have no IaaS or similar that would facilitate a self-hosted VM.
By the time you cost in a yearly VM in Azure, with backups (and especially redundancy if you need it) that FortiClient-EMS Cloud offering suddenly doesn’t seem terribly priced. Granted if they’re the type of org that have idle silicon and spinning rust on-premises to support it, that point is generally moot.
Ikev2 with certificates for the before login and radius and certificates after the login.
So your devices are AD joined/hybrid but not Entra?
They are hybrid joined. But it doesn’t really matter all you need is a PKI infrastructure and a radius that talks to a directory.