Offline FortiClientVPN

Unfortunately Fortigate is only providing online installers for their VPN clients. This sucks badly because most of the time their download servers are overloaded and downloading within the online installer takes way too much time.

So here is how you can extract the offline installer from the online installer the first time it downloaded it.

For macOS users:

  • Download the online installer from https://www.forticlient.com/downloads
  • Start the online installer and let it finish the download
  • Then open your terminal while the installer is open and type:
    open $TMPDIR/fctupdate
  • copy FortiClient.dmg to your desktop
  • proceed with the installation

For Windows users:

  • Download the online installer from https://www.forticlient.com/downloads
  • Start the online installer and let it finish the download
  • Then open PowerShell while the installer is open and type:
    explorer $env:TEMP
  • copy FortiClientVPN.exe to your desktop
  • proceed with the installation

So basically the online installer saves an offline version in your users temp folder and you need to copy that to another location.

SSLVPN not working in FortiOS 6

After upgrading from FortiOS 5 to FortiOS 6, the access for SSLVPN users stopped working. Local users still worked but LDAP users could not authenticate user LDAPS or STARTTLS. When trying to login to the webportal the message “Permission denied” was displayed and in the firewall VPN events was following error: “sslvpn_login_unknown_user”.

Well, apparently Fortinet changed the minimum SSL protocol version used while authenticating to the AD to TLSv1.2. Unfortunately the AD server used could not use it and TLSv1 was the maximum available. The fix is quite simple:

Open the terminal in the webUI (top right >_ icon) and use following commands:

# config user ldap
# show
# edit "My LDAP server name got from show command"
# set ssl-min-proto-version TLSv1
# end

That’s it. SSLVPN was working normally afterwards. You could also use other protocol versions as SSLv2, SSLv3, TLSv1, TLSv1-1 and TLSv1-2