Configuration Guide: Configuring FortiGate Agentless VPN and Deploying Through MDM Solutions

Identity & Access Management (IAM), Implementation & Deployment (Day 1), Remote Access & Collaboration / Leave a Comment

Introduction

In modern enterprise environments, providing secure remote access to corporate resources is essential. FortiGate firewalls offer robust VPN capabilities that can be deployed without requiring dedicated VPN client software through agentless VPN configurations. When combined with Mobile Device Management (MDM) solutions like VMware Workspace ONE and Microsoft Intune, organizations can automatically provision VPN configurations to user devices at scale, ensuring consistent security policies and simplified end-user experience.

This guide walks through configuring FortiGate for agentless VPN access using built-in operating system VPN clients (IKEv2/IPsec) and deploying these configurations automatically through enterprise MDM platforms.

Understanding FortiGate Agentless VPN

Agentless VPN refers to VPN connectivity that leverages native VPN clients built into operating systems rather than requiring proprietary VPN client software. This approach offers several advantages:

Benefits of Agentless VPN:

  • No additional software installation or licensing costs
  • Reduced endpoint management overhead
  • Native OS integration for improved stability
  • Simplified user experience with OS-native interfaces
  • Support across multiple platforms (Windows, macOS, iOS, Android)
Key Protocol: IKEv2/IPsec is the preferred protocol for agentless VPN deployments due to its native support across all major operating systems, strong security, and automatic reconnection capabilities.

Prerequisites

Before beginning configuration, ensure you have:

  • FortiGate firewall running FortiOS 6.0 or later (FortiOS 7.0+ recommended)
  • Valid SSL certificates (self-signed or CA-issued)
  • Active RADIUS or LDAP authentication server (optional but recommended)

Part 1: FortiGate Configuration

Step 1: Configure User Authentication

For enterprise deployments, integrating FortiGate with your existing authentication infrastructure ensures centralized user management.

Configuring LDAP Authentication:

  1. Navigate to User & Authentication > LDAP Servers
  2. Click Create New
  3. Configure the following:
    • Name: Enter a descriptive name (e.g., “Corporate-AD”)
    • Server Name/IP: Enter your LDAP/AD server address
    • Server Port: 389 for LDAP, 636 for LDAPS
    • Common Name Identifier: cn (for Active Directory)
    • Distinguished Name: Enter your domain DN (e.g., “DC=company,DC=com”)
    • Bind Type: Regular or Anonymous
    • Username/Password: Service account credentials if using Regular bind
  4. Click Test Connectivity
  5. Click OK to save

Configuring RADIUS Authentication:

  1. Navigate to User & Authentication > RADIUS Servers
  2. Click Create New to add a RADIUS server
  3. Configure the following parameters:
    • Name: Enter a descriptive name (e.g., “Corporate-RADIUS”)
    • Primary Server Name/IP: Enter your RADIUS server address
    • Primary Server Secret: Enter the shared secret
    • Authentication Method: Select appropriate method (PAP, CHAP, MS-CHAPv2)
    • NAS IP: Specify FortiGate’s interface IP facing the RADIUS server
  4. Click Test Connectivity to verify configuration
  5. Click OK to save

Step 2: Create User Groups

  1. Navigate to User & Authentication > User Groups
  2. Click Create New
  3. Configure:
    • Name: “VPN-Users”
    • Type: Firewall
    • Remote Groups: Add your RADIUS or LDAP server
    • Remote Server: Select previously configured authentication server
  4. If using LDAP, specify the remote group name matching your AD security group
  5. Click OK

Step 3: Configure VPN Portal Settings

VPN portals define the user experience and access parameters for VPN connections.

  1. Navigate to VPN > SSL-VPN Portals (Note: despite the menu location, these settings apply to IPsec VPN as well)
  2. Click Create New or edit the default “tunnel-access” portal
  3. Configure portal settings:
    • Portal Name: “AgentlessVPN-Portal”
    • Tunnel Mode: Enable
    • Split Tunneling: Enable (recommended for performance)
    • Split Tunneling Routing Address: Add internal network ranges requiring VPN access
    • DNS Server: Specify internal DNS servers
    • WINS Server: Configure if needed for legacy Windows environments
  4. Click OK to save

Step 4: Configure IPsec VPN Settings

Create Phase 1 (IKE) Configuration:

  1. Navigate to VPN > IPsec Wizard
  2. Select Custom and click Next
  3. Configure Phase 1 parameters:
    • Name: “AgentlessVPN-Phase1”
    • Template Type: Custom
    • Remote Gateway: Dialup User
    • Incoming Interface: Select WAN interface
    • IP Version: IPv4
    • IKE Version: 2
    • Authentication Method: Pre-shared Key or Certificate
    • Pre-shared Key: Enter a strong key (if using PSK)
    • Peer Options:
      • Local ID: Enter FortiGate’s external hostname or IP
      • Accept Peer ID: Any
    • Mode Config: Enable
    • IP Address Range: Define address pool for VPN clients (e.g., 10.10.10.100-10.10.10.200)
    • DNS Server: Internal DNS servers
  4. Configure Phase 1 Proposal:
    • Encryption: AES256-GCM, AES256
    • Authentication: SHA256, SHA512
    • Diffie-Hellman Group: 14, 15, 19, 20
    • Key Lifetime: 28800 seconds
  5. Configure Dead Peer Detection:
    • DPD: On Idle
    • Retry Interval: 10 seconds
    • Retry Count: 3
  6. Click Next

Create Phase 2 (IPsec) Configuration:

  1. Configure Phase 2 parameters:
    • Name: “AgentlessVPN-Phase2”
    • Local Address: Specify internal network subnets requiring VPN access
    • Remote Address: 0.0.0.0/0 (for full tunnel) or specific subnets (for split tunnel)
  2. Configure Phase 2 Proposal:
    • Encryption: AES256-GCM, AES256
    • Authentication: SHA256, SHA512
    • PFS Group: 14, 15, 19, 20
    • Key Lifetime: 3600 seconds
  3. Click OK to create the VPN tunnel

Step 5: Configure Firewall Policies

Create VPN to Internal Policy:

  1. Navigate to Policy & Objects > Firewall Policy
  2. Click Create New
  3. Configure:
    • Name: “VPN-to-Internal”
    • Incoming Interface: Select your VPN tunnel (e.g., “AgentlessVPN-Phase1”)
    • Outgoing Interface: Select internal interface (e.g., “port1” or “internal”)
    • Source: Select “VPN-Users” group
    • Destination: “all” or specific internal address objects
    • Service: “ALL” or specific services
    • Action: Accept
    • NAT: Disable
  4. Configure security profiles as needed (Antivirus, IPS, Web Filter)
  5. Enable Logging for troubleshooting
  6. Click OK

Create Internal to VPN Policy (if needed):

  1. Click Create New
  2. Configure:
    • Name: “Internal-to-VPN”
    • Incoming Interface: Internal interface
    • Outgoing Interface: VPN tunnel
    • Source: Internal network objects
    • Destination: VPN address pool or “all”
    • Service: “ALL”
    • Action: Accept
    • NAT: Disable
  3. Click OK

Step 6: Verify Configuration

  1. Navigate to VPN > Monitor > IPsec Monitor
  2. Verify the VPN tunnel appears in the list (it will show as “Down” until a client connects)
  3. Navigate to Log & Report > Forward Traffic to monitor connection attempts
  4. Test connectivity using FortiClient or native OS VPN client manually before MDM deployment

Part 2: Deploying VPN Configuration via Workspace ONE

Workspace ONE UEM provides comprehensive VPN payload management for iOS, Android, Windows, and macOS devices.

iOS Configuration

Create VPN Profile:

  1. Log into Workspace ONE UEM Console
  2. Navigate to Devices > Profiles & Resources > Profiles
  3. Click Add > Add Profile
  4. Select Apple iOS as platform
  5. Configure basic profile information:
    • Name: “FortiGate AgentlessVPN – iOS”
    • Description: Enter detailed description
    • Assignment Groups: Select target user or device groups
  6. Click VPN payload in the left menu
  7. Click Configure
  8. Select Connection Type: IKEv2
  9. Configure VPN settings:
    • Connection Name: “Corporate VPN”
    • Server: FortiGate external hostname or IP address
    • Remote Identifier: FortiGate external hostname (matching Local ID in Phase 1)
    • Local Identifier: Leave blank or specify if using certificate authentication
    • Authentication Type: Username & Password or Certificate
    • Enable VPN On Demand: Optional (allows automatic VPN triggering)
    • Certificate: Select if using certificate-based authentication
  10. Configure IKEv2 Advanced Settings:
    • Dead Peer Detection Rate: Medium
    • Server Certificate Issuer Common Name: Enter if validating server certificate
    • Use Extended Authentication (EAP): Disable
    • Enable Perfect Forward Secrecy: Enable
    • Disable Redirect: Disable
  11. Configure Proxy settings if required
  12. Click Save
  13. Click Publish to make profile available
Configure VPN On Demand (Optional):Within the VPN payload configuration:

  1. Enable VPN On Demand
  2. Add rules:
    • Domain: Internal domain names requiring VPN (e.g., “corp.company.com”)
    • Action: Connect
    • Domain: Public domains (e.g., “www.google.com”)
    • Action: Never Connect
  3. This ensures VPN connects automatically when accessing internal resources

Android Configuration

Create VPN Profile:

  1. Navigate to Devices > Profiles & Resources > Profiles
  2. Click Add > Add Profile
  3. Select Android as platform
  4. Configure basic profile information
  5. Click VPN payload
  6. Click Configure
  7. Select Connection Type: IKEv2/IPsec
  8. Configure VPN settings:
    • Connection Name: “Corporate VPN”
    • Server Address: FortiGate external hostname or IP
    • VPN Type: IKEv2/IPsec PSK or IKEv2/IPsec RSA
    • IPsec Identifier: FortiGate server identifier
    • IPsec Pre-shared Key: Enter PSK (if using PSK authentication)
    • Always-on VPN: Optional (prevents traffic outside VPN)
    • Per-App VPN: Optional (restrict VPN to specific apps)
  9. Click Save
  10. Click Publish
Note: Android native VPN client has limited configuration options compared to iOS. For advanced features, consider using FortiClient Mobile app distributed through Workspace ONE.

Windows 10/11 Configuration

Create VPN Profile:

  1. Navigate to Devices > Profiles & Resources > Profiles
  2. Click Add > Add Profile
  3. Select Windows > Windows 10/11 as platform
  4. Configure basic profile information
  5. Click VPN payload
  6. Click Configure
  7. Configure VPN settings:
    • Connection Name: “Corporate VPN”
    • Connection Type: IKEv2
    • Server Name or Address: FortiGate external hostname or IP
    • Authentication Method: EAP (Extensible Authentication Protocol) or Certificate
    • EAP Configuration: MSCHAPv2
    • Remember Credentials: Enable
  8. Configure routing:
    • Custom Routes: Add internal network routes for split tunneling
    • DNS Suffix: Add internal DNS suffix
  9. Configure advanced settings:
    • Cryptography Suite: Configure to match FortiGate Phase 1/2 proposals
    • Perfect Forward Secrecy: Enable
    • Dead Peer Detection: Configure timeout values
  10. Click Save & Publish
Configure Device Tunnel (Optional – Always-On VPN):For Windows 10/11 Enterprise editions:

  1. Create separate VPN profile with Device Tunnel connection type
  2. Configure certificate-based authentication
  3. Assign to device groups rather than user groups
  4. Enable before user login for seamless connectivity

macOS Configuration

Create VPN Profile:

  1. Navigate to Devices > Profiles & Resources > Profiles
  2. Click Add > Add Profile
  3. Select Apple macOS as platform
  4. Configure basic profile information
  5. Click VPN payload
  6. Click Configure
  7. Configure similar to iOS settings:
    • Connection Type: IKEv2
    • Server: FortiGate hostname/IP
    • Remote Identifier: FortiGate identifier
    • Authentication Type: Username & Password or Certificate
  8. Configure VPN On Demand rules if needed
  9. Click Save & Publish

Profile Assignment and Deployment

  1. Navigate to the published profile
  2. Click Assignment
  3. Select assignment type:
    • User Groups: Assign to specific user groups
    • Device Groups: Assign to specific device groups
    • Smart Groups: Use dynamic criteria for automatic assignment
  4. Configure deployment timing:
    • Push: Immediate deployment
    • Auto: Deploy when device checks in
  5. Click Save

Part 3: Deploying VPN Configuration via Microsoft Intune

Microsoft Intune offers native VPN profile management across Windows, iOS, Android, and macOS platforms.

iOS/iPadOS Configuration

Create VPN Configuration Profile:

  1. Sign in to Microsoft Intune admin center (https://intune.microsoft.com)
  2. Navigate to Devices > Configuration profiles
  3. Click Create profile
  4. Select:
    • Platform: iOS/iPadOS
    • Profile type: VPN
  5. Click Create
  6. Configure Basics:
    • Name: “FortiGate Agentless VPN – iOS”
    • Description: Detailed description
  7. Click Next
  8. Configure Configuration settings:
    • Connection type: IKEv2
    • Connection name: “Corporate VPN” (user-visible name)
    • VPN server address: FortiGate external hostname or IP
    • Authentication method: Username and password or Certificates
    • Remote identifier: FortiGate server identifier
    • Local identifier: Leave blank or specify user identifier
    • Client Authentication type: Username and password
    • Username source: User Principal Name or SAMAccountName
    • Disable IPv6: Optional
  9. Configure IKEv2 settings:
    • Dead peer detection interval: 600 seconds
    • Server certificate type: Select appropriate option
    • Always-on VPN: Enable/Disable based on requirements
    • Per-app VPN: Configure if restricting to specific apps
  10. Configure Automatic VPN (On-Demand):
    • Add: Rules for when VPN should connect
    • On-demand match domains: Internal domains requiring VPN
    • On-demand match domain action: Connect if needed
  11. Configure Split tunneling (if needed):
    • Excluded routes: Routes that should not use VPN
    • Included routes: Routes that must use VPN
  12. Click Next
  13. Configure Assignments:
    • Included groups: Select Azure AD groups
    • Excluded groups: Specify exclusions if needed
  14. Click Next
  15. Review and click Create

Android Configuration

Create VPN Configuration Profile:

  1. Navigate to Devices > Configuration profiles
  2. Click Create profile
  3. Select:
    • Platform: Android Enterprise
    • Profile type: VPN (Device Owner/Corporate-owned work profile)
  4. Click Create
  5. Configure Basics with name and description
  6. Configure Configuration settings:
    • Connection type: IKEv2
    • Connection name: “Corporate VPN”
    • VPN server address: FortiGate hostname/IP
    • Authentication method: Username and password
    • Identity certificate: Select if using certificate authentication
    • Always-on VPN: Enable/Disable
    • Block connections without VPN: Configure based on security requirements
  7. Configure Per-app VPN if needed:
    • Add apps: Select specific applications requiring VPN
  8. Click Next
  9. Configure Assignments
  10. Review and click Create
Note: Android VPN capabilities vary based on enrollment type (Work Profile, Device Owner, etc.). Device Owner mode provides most comprehensive VPN control.

Windows 10/11 Configuration

Create VPN Configuration Profile:

  1. Navigate to Devices > Configuration profiles
  2. Click Create profile
  3. Select:
    • Platform: Windows 10 and later
    • Profile type: VPN
  4. Click Create
  5. Configure Basics
  6. Configure Configuration settings – Base VPN:
    • Connection name: “Corporate VPN”
    • Servers: Add FortiGate server
      • Description: “Primary VPN Gateway”
      • IP address or FQDN: FortiGate external address
      • Default server: Enable
    • Connection type: IKEv2
    • Authentication method: Certificates or Username and password
    • Remember credentials at each logon: Enable
  7. Configure IKEv2 settings:
    • Machine certificate identity privacy: Disable
    • Use internal DHCP server: Disable
    • Cryptography suite:
      • Cipher suites: Configure to match FortiGate (AES256-GCM, AES256)
      • Integrity check: SHA256
      • Diffie-Hellman Group: Group 14, 19, 20
      • PFS Group: PFS2048, PFSECP256, PFSECP384
  8. Configure Proxy settings if required
  9. Configure Split tunneling:
    • Routes: Add internal network routes
    • DNS suffixes: Add internal DNS suffixes
  10. Configure Always On settings if needed:
    • Enable Always On: Yes
    • Enable device tunnel: Configure for computer-level VPN
  11. Click Next
  12. Configure Assignments
  13. Review and click Create

macOS Configuration

Create VPN Configuration Profile:

  1. Navigate to Devices > Configuration profiles
  2. Click Create profile
  3. Select:
    • Platform: macOS
    • Profile type: VPN
  4. Click Create
  5. Configure Basics
  6. Configure Configuration settings:
    • Connection type: IKEv2
    • Connection name: “Corporate VPN”
    • VPN server address: FortiGate hostname/IP
    • Authentication method: Username and password or Certificates
    • Remote identifier: FortiGate server identifier
    • Local identifier: User identifier
    • Client Authentication type: Username and password
  7. Configure On Demand VPN rules
  8. Configure Per-app VPN if needed
  9. Click Next
  10. Configure Assignments
  11. Review and click Create
Conditional Access Integration (Optional):Enhance security by requiring VPN connection for specific cloud apps:

  1. Navigate to Endpoint security > Conditional Access
  2. Click New policy
  3. Configure policy:
    • Name: “Require VPN for Sensitive Apps”
    • Users: Select target users/groups
    • Cloud apps: Select apps requiring VPN
    • Conditions: Configure device platforms
    • Grant: Require device to be marked as compliant AND require VPN
  4. Enable policy

Testing VPN Connectivity

Windows Testing

  1. Open Settings > Network & Internet > VPN
  2. Locate “Corporate VPN” connection
  3. Click Connect
  4. Enter credentials when prompted
  5. Verify connection status shows “Connected”
  6. Test access to internal resources (file shares, internal websites)
  7. Run ipconfig to verify VPN adapter and IP assignment
  8. Test split tunneling by accessing public internet sites

macOS Testing

  1. Open System Preferences > Network
  2. Select “Corporate VPN” interface
  3. Click Connect
  4. Enter credentials
  5. Verify connection status
  6. Test internal resource access
  7. Use ifconfig to verify VPN interface

iOS/iPadOS Testing

  1. Open Settings > General > VPN & Device Management
  2. Verify VPN profile is installed
  3. Open Settings > VPN
  4. Enable “Corporate VPN” toggle
  5. Enter credentials if prompted
  6. Verify VPN icon appears in status bar
  7. Test accessing internal resources via Safari or enterprise apps

Android Testing

  1. Open Settings > Network & Internet > VPN
  2. Select “Corporate VPN”
  3. Tap Connect
  4. Enter credentials
  5. Verify VPN connected notification
  6. Test internal resource access

Troubleshooting Common Issues

Connection Failures

Issue: Phase 1 negotiation failsFortiGate verification:

  1. Navigate to Log & Report > VPN Events
  2. Check for Phase 1 negotiation errors
  3. Verify authentication method matches client configuration
  4. Ensure Phase 1 proposals include common ciphers supported by client OS

Client verification:

  1. Verify server address is correct and reachable
  2. Check pre-shared key matches exactly (case-sensitive)
  3. Verify client OS supports configured cipher suites
  4. Test basic connectivity: ping [FortiGate-IP] or telnet [FortiGate-IP] 500
Issue: Phase 2 negotiation failsFortiGate verification:

  1. Check VPN Events for Phase 2 specific errors
  2. Verify Phase 2 proposal compatibility
  3. Ensure PFS group settings match
  4. Check selector/proxy-id configuration matches client expectations
Issue: Authentication failures

  1. Verify RADIUS/LDAP server connectivity from FortiGate
  2. Test user authentication:
    • Navigate to User & Authentication > User > User Definition
    • Click Test Connectivity on authentication server
  3. Check user group membership in authentication backend
  4. Review authentication logs on RADIUS/LDAP server
  5. Verify credentials are not expired or locked

Connectivity Issues After Connection

Issue: Can reach VPN gateway but not internal resourcesFortiGate troubleshooting:

  1. Navigate to Policy & Objects > Firewall Policy
  2. Verify VPN-to-Internal policy exists and is enabled
  3. Enable logging on firewall policy
  4. Check Log & Report > Forward Traffic for dropped connections
  5. Verify policy source/destination objects match VPN traffic

Routing verification:

  1. Navigate to Network > Static Routes
  2. Verify routes for internal networks
  3. Check that VPN clients receive correct routes in Mode Config
  4. On client, verify routing table includes internal network routes
Issue: DNS resolution fails for internal names

  1. Verify DNS servers configured in VPN Mode Config
  2. Check that DNS servers are accessible from VPN client pool
  3. Create firewall policy allowing VPN clients to DNS servers
  4. Test DNS resolution from FortiGate: diagnose sniffer packet any 'port 53' 4
  5. On client, verify DNS servers received via VPN connection: ipconfig /all (Windows) or scutil --dns (macOS)

MDM Deployment Issues

Profile Installation Failures:Workspace ONE:

  1. Navigate to Monitor > Devices > Select Device
  2. Check Event Log for profile installation errors
  3. Verify device check-in status
  4. Ensure device meets platform requirements for VPN profile
  5. Check for conflicting VPN profiles

Intune:

  1. Navigate to Devices > All devices > Select Device
  2. Check Device configuration status
  3. Review error details and remediation suggestions
  4. Verify user group membership and assignments
  5. Check for certificate-related issues if using certificate authentication
Profile Not Appearing on Device:

  1. Verify MDM assignment includes target user/device
  2. Force device sync: On device, trigger manual check-in
  3. Check MDM console for pending profiles
  4. Verify network connectivity from device to MDM infrastructure
  5. Review device enrollment status

Performance Issues

Slow VPN Performance:

  1. Test baseline internet speed without VPN
  2. Enable split tunneling to reduce VPN traffic
  3. Adjust encryption algorithms (AES-GCM offers better performance)
  4. Check FortiGate CPU utilization: Dashboard > System Resources
  5. Review IPS/AV settings on VPN firewall policy (may cause performance impact)
  6. Consider upgrading FortiGate hardware or increasing VPN license capacity
Frequent Disconnections:

  1. Adjust DPD settings in Phase 1:
    • Increase retry interval
    • Increase retry count
  2. Configure VPN On Demand rules to reduce unnecessary connections
  3. Check for NAT timeout issues on intermediate firewalls
  4. Enable NAT-T if VPN traffic traverses NAT devices
  5. Review client power management settings (sleep/hibernation)

Optional Advanced Configurations

Use SAML Authentication with Workspace ONE Access

This section configures FortiGate to use Workspace ONE Access as a SAML identity provider for VPN authentication.

Step 1: Configure Workspace ONE Access SAML Authentication

Configure SAML Application in Workspace ONE Access:

  1. Log into Workspace ONE Access console (https://your-tenant.vidmpreview.com or on-premises URL)
  2. Navigate to Catalog > Web Apps
  3. Click New
  4. Select SAML 2.0 as the type
  5. Configure application details:
    • Name: “FortiGate VPN”
    • Description: “FortiGate VPN SAML Authentication”
    • Icon: Upload FortiGate logo or select generic VPN icon
  6. Click Next

Configure SAML Metadata:

  1. In the application configuration, select Configuration tab
  2. Under SAML Metadata, select Manual
  3. Configure the following Service Provider details:
    • Single Sign-On URL (ACS URL): https://:10443/remote/saml/login
    • Example: https://vpn.company.com:10443/remote/saml/login
    • Check Use this URL for Recipient and Destination
    • Recipient URL: (Auto-filled from Single Sign-On URL)
    • https://vpn.company.com:10443/remote/saml/login
    • Application ID (Entity ID): https://:10443/remote/saml/metadata
    • Example: https://vpn.company.com:10443/remote/saml/metadata
    • Username Format: Email Address or User Principal Name
    • Username Value: ${user.email} or ${user.userName}
  4. Configure Advanced Properties:
    • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • Name ID Value: ${user.email}
    • Signature Algorithm: RSA-SHA256
    • Digest Algorithm: SHA256
    • Assertion Lifetime: 300 seconds
  5. Click Next

Configure Attribute Mapping:

  1. Under Attribute Mapping, add the following attributes:
    • username: ${user.userName}
    • email: ${user.email}
    • groups: ${user.groups}
  2. Click Next

Configure Access Policies:

  1. In the Access Policies tab, click Create Rule
  2. Configure policy:
    • Rule Name: “VPN Users Access”
    • Users: Select specific groups (e.g., “VPN-Users”, “Remote-Workers”) or “All Users”
    • Network Ranges: Configure if restricting by IP range (optional)
    • Device Compliance: Require managed devices if using Workspace ONE UEM (optional)
  3. Configure Authentication Methods:
    • Password: Enable for username/password authentication
    • Multi-factor Authentication: Configure if requiring additional factors (RADIUS, DUO, etc.)
  4. Actions:
    • Perform this action when all conditions are met: Allow Access
    • Re-authenticate after: 480 minutes (default)
  5. Click Save

Export SAML Metadata:

  1. Navigate to SAML Metadata tab
  2. Click Export Metadata and save the XML file
  3. Alternatively, copy the Identity Provider (IdP) metadata URL:
    • Example: https://your-tenant.vidmpreview.com/SAAS/API/1.0/GET/metadata/sp.xml?entityID=FortiGateVPN

Deploy Application to Users:

  1. Click Deployment tab
  2. Configure deployment:
    • Deployment Type: Automatic
    • Categories: Assign to appropriate category (e.g., “IT Services”)
    • User/Group Assignment: Add user groups who should see the application
  3. Click Save and Publish

Step 2: Configure FortiGate SAML Settings

Import SAML Metadata (Recommended Method):

  1. On FortiGate, navigate to User & Authentication > SAML SSO
  2. Click Create New
  3. Click Import Metadata
  4. Upload the metadata XML file downloaded from Workspace ONE Access
  5. FortiGate will auto-populate most fields
  6. Verify and adjust:
    • Name: “WorkspaceONE-SAML”
    • IdP Entity ID: (Auto-populated from metadata)
    • IdP Single Sign-On URL: (Auto-populated from metadata)
    • IdP Single Logout URL: (Auto-populated if available)
    • IdP Certificate: (Auto-imported from metadata)
    • SP Entity ID: Must match Application ID in Workspace ONE Access
    • Example: https://vpn.company.com:10443/remote/saml/metadata
    • SP Single Sign-On URL: Must match ACS URL in Workspace ONE Access
    • Example: https://vpn.company.com:10443/remote/saml/login
    • SP Certificate: Select or create a certificate for FortiGate
  7. Configure User/Group Attribute:
    • User Name: Select attribute containing username (typically “username” or “email”)
    • Group Name: “groups” (if using group-based access control)
  8. Enable Clock Tolerance: 60 seconds
  9. Click OK

Alternative Method – Manual Configuration:

  1. Navigate to User & Authentication > SAML SSO
  2. Click Create New
  3. Configure IdP Settings:
    • Name: “WorkspaceONE-SAML”
    • IdP Entity ID: https://your-tenant.vidmpreview.com/SAAS/jersey/manager/api/saml/metadata
    • IdP Single Sign-On URL: https://your-tenant.vidmpreview.com/SAAS/auth/federation/sso
    • IdP Single Logout URL: https://your-tenant.vidmpreview.com/SAAS/auth/federation/slo
    • IdP Certificate: Click Import and upload certificate file from metadata
  4. Configure Service Provider (FortiGate) Settings:
    • SP Entity ID: https://vpn.company.com:10443/remote/saml/metadata
    • SP Single Sign-On URL: https://vpn.company.com:10443/remote/saml/login
    • SP Certificate: Select FortiGate’s certificate
  5. Configure User Attribute Mapping:
    • User Name: “username” or “email”
    • Group Name: “groups”
  6. Configure Advanced Options:
    • Clock Tolerance: 60 seconds
    • Digest Method: sha256
    • Signature Method: rsa-sha256
  7. Click OK

Step 3: Create SAML User Groups

Create Generic SAML User Group:

  1. Navigate to User & Authentication > User Groups
  2. Click Create New
  3. Configure:
    • Name: “SAML-VPN-All-Users”
    • Type: Firewall
    • Members: Click Add
    • Type: Select SAML Users
    • SAML Server: Select “WorkspaceONE-SAML”
    • Groups: Leave empty to match all authenticated users
  4. Click OK

Create Group-Specific SAML Mapping (Optional):

  1. Navigate to User & Authentication > User Groups
  2. Click Create New
  3. Configure:
    • Name: “SAML-VPN-Employees” (example group name)
    • Type: Firewall
    • Members: Click Add
    • Type: Select SAML Users
    • SAML Server: Select “WorkspaceONE-SAML”
    • Groups: Enter exact group name from Workspace ONE Access
    • Example: “VPN-Users” or “CN=VPN-Users,OU=Groups,DC=company,DC=com”
  4. Click OK

Step 4: Configure SSL-VPN Settings with SAML

  1. Navigate to VPN > SSL-VPN Settings
  2. Configure:
    • Listen on Interface(s): Select WAN interface
    • Listen on Port: 10443 (or preferred port)
    • Server Certificate: Select certificate matching SP Entity ID hostname
    • Restrict Access: Configure as needed
  3. Under Authentication/Portal Mapping, click Create New:
    • Users/Groups: Select “SAML-VPN-All-Users”
    • Portal: Select “AgentlessVPN-Portal”
    • Authentication Method: Keep default (will use SAML)
  4. For group-specific access, create additional mappings:
    • Click Create New
    • Users/Groups: Select specific SAML group (e.g., “SAML-VPN-Employees”)
    • Portal: Select portal with appropriate access level
  5. Enable SSL-VPN Service
  6. Click Apply

Use SAML Authentication with Microsoft Entra ID

This section configures FortiGate to use Microsoft Entra ID as a SAML identity provider for VPN authentication.

Step 1: Configure Microsoft Entra ID SAML Authentication

Configure SAML Application in Microsoft Entra ID:

  1. Sign in to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Navigate to Identity > Applications > Enterprise applications
  3. Click New application
  4. Click Create your own application
  5. Configure:
    • Name: “FortiGate VPN SAML”
    • Select: “Integrate any other application you don’t find in the gallery (Non-gallery)”
  6. Click Create

Configure Single Sign-On:

  1. In the newly created application, navigate to Single sign-on
  2. Click SAML
  3. Click Edit on Basic SAML Configuration
  4. Configure the following (replace with your FortiGate details):
    • Identifier (Entity ID): https://:10443/remote/saml/metadata
    • Example: https://vpn.company.com:10443/remote/saml/metadata
    • Reply URL (Assertion Consumer Service URL): https://:10443/remote/saml/login
    • Example: https://vpn.company.com:10443/remote/saml/login
    • Sign on URL (optional): Same as Reply URL
  5. Click Save

Configure Attributes & Claims:

  1. Click Edit on Attributes & Claims
  2. Verify the following claims exist (add if missing):
    • Required claim – Unique User Identifier (Name ID): user.userprincipalname (or user.mail)
    • Additional claim – username: user.userprincipalname
    • Additional claim – group: user.groups (if using group-based access)
  3. Click Save

Download Federation Metadata:

  1. Scroll to SAML Certificates section
  2. Click Download next to Federation Metadata XML
  3. Save the XML file for later use
  4. Alternatively, note the App Federation Metadata Url for direct metadata import

Assign Users/Groups:

  1. Navigate to Users and groups in the Enterprise application
  2. Click Add user/group
  3. Select users or groups who should have VPN access
  4. Click Assign

Configure Conditional Access (Optional):

  1. Navigate to Identity > Protection > Conditional Access
  2. Click New policy
  3. Configure:
    • Name: “Require MFA for VPN”
    • Assignments > Users: Select users/groups
    • Assignments > Cloud apps: Select “FortiGate VPN SAML” application
    • Access controls > Grant: Require multi-factor authentication
  4. Enable policy: On
  5. Click Create

Step 2: Configure FortiGate SAML Settings

Import SAML Metadata (Recommended Method):

  1. On FortiGate, navigate to User & Authentication > SAML SSO
  2. Click Create New
  3. Click Import Metadata
  4. Upload the Federation Metadata XML downloaded from Entra ID
  5. FortiGate will auto-populate most fields
  6. Verify and adjust:
    • Name: “EntraID-SAML”
    • IdP Entity ID: (Auto-populated from metadata)
    • Format: https://sts.windows.net//
    • IdP Single Sign-On URL: (Auto-populated from metadata)
    • Format: https://login.microsoftonline.com//saml2
    • IdP Single Logout URL: (Auto-populated if available)
    • IdP Certificate: (Auto-imported from metadata)
    • SP Entity ID: Must match Identifier in Entra ID
    • Example: https://vpn.company.com:10443/remote/saml/metadata
    • SP Single Sign-On URL: Must match Reply URL in Entra ID
    • Example: https://vpn.company.com:10443/remote/saml/login
    • SP Certificate: Select or create a certificate for FortiGate
  7. Configure User/Group Attribute:
    • User Name: Select attribute containing username (typically “username” or leave as default)
    • Group Name: “group” (if using group-based access control)
  8. Enable Clock Tolerance: 60 seconds
  9. Click OK

Alternative Method – Manual Configuration:

  1. Navigate to User & Authentication > SAML SSO
  2. Click Create New
  3. Configure IdP Settings:
    • Name: “EntraID-SAML”
    • IdP Entity ID: Copy from Entra ID metadata
    • Example: https://sts.windows.net/12345678-1234-1234-1234-123456789abc/
    • IdP Single Sign-On URL: Copy from Entra ID Federation Metadata XML
    • Look for SingleSignOnService with HTTP-Redirect binding
    • Example: https://login.microsoftonline.com/12345678-1234-1234-1234-123456789abc/saml2
    • IdP Single Logout URL: Copy from Entra ID if available
    • IdP Certificate: Click Import and upload certificate from Federation Metadata XML
    • Certificate is located within tags
  4. Configure Service Provider (FortiGate) Settings:
    • SP Entity ID: https://vpn.company.com:10443/remote/saml/metadata
    • SP Single Sign-On URL: https://vpn.company.com:10443/remote/saml/login
    • SP Certificate: Select FortiGate’s certificate
  5. Configure User Attribute Mapping:
    • User Name: Select the attribute to use for username (typically “username” or leave as default)
    • Group Name: “group” (if using group-based access control)
  6. Configure Advanced Options:
    • Clock Tolerance: 60 seconds
    • Digest Method: sha256
    • Signature Method: rsa-sha256
  7. Click OK

Step 3: Create SAML User Groups

Create Generic SAML User Group:

  1. Navigate to User & Authentication > User Groups
  2. Click Create New
  3. Configure:
    • Name: “SAML-VPN-All-Users”
    • Type: Firewall
    • Members: Click Add
    • Type: Select SAML Users
    • SAML Server: Select “EntraID-SAML”
    • Groups: Leave empty to match all authenticated users
  4. Click OK

Create Group-Specific SAML Mapping (Optional):

  1. Navigate to User & Authentication > User Groups
  2. Click Create New
  3. Configure:
    • Name: “SAML-VPN-Employees” (example group name)
    • Type: Firewall
    • Members: Click Add
    • Type: Select SAML Users
    • SAML Server: Select “EntraID-SAML”
    • Groups: Enter Entra ID group Object ID or display name
    • Example: “12345678-1234-1234-1234-123456789abc” (Object ID)
    • Or: “VPN-Users” (display name, if configured in claims)
  4. Click OK

Step 4: Configure SSL-VPN Settings with SAML

  1. Navigate to VPN > SSL-VPN Settings
  2. Configure:
    • Listen on Interface(s): Select WAN interface
    • Listen on Port: 10443 (or preferred port)
    • Server Certificate: Select certificate matching SP Entity ID hostname
    • Restrict Access: Configure as needed
  3. Under Authentication/Portal Mapping, click Create New:
    • Users/Groups: Select “SAML-VPN-All-Users”
    • Portal: Select “AgentlessVPN-Portal”
    • Authentication Method: Keep default (will use SAML)
  4. For group-specific access, create additional mappings:
    • Click Create New
    • Users/Groups: Select specific SAML group (e.g., “SAML-VPN-Employees”)
    • Portal: Select portal with appropriate access level
  5. Enable SSL-VPN Service
  6. Click Apply

Certificate-Based Authentication

For enhanced security without passwords:

  1. Deploy PKI Infrastructure:
    • Set up internal CA or use third-party PKI
    • Create certificate templates for VPN users/devices
    • Configure certificate auto-enrollment where possible
  2. FortiGate Configuration:
    • Import CA certificates to FortiGate
    • Configure Phase 1 for certificate authentication
    • Set up certificate-based user authentication
    • Map certificate fields to user groups
  3. MDM Distribution:
    • Use MDM SCEP or certificate payload
    • Distribute user/device certificates automatically
    • Configure VPN profile to use deployed certificates
    • Implement certificate renewal automation

Conclusion

Deploying FortiGate agentless VPN with enterprise MDM solutions provides a scalable, secure, and user-friendly remote access solution. By leveraging native OS VPN capabilities and automated MDM deployment, organizations can ensure consistent security policies while minimizing end-user friction and support overhead.

Key Takeaways:

  • Agentless VPN reduces complexity and costs while maintaining strong security
  • MDM integration enables zero-touch deployment and centralized management
  • Proper authentication integration ensures alignment with enterprise identity governance
  • Regular monitoring and maintenance are essential for optimal security and performance
  • Advanced configurations like HA and certificate-based authentication enhance reliability and security

This comprehensive approach to VPN deployment aligns with modern enterprise security requirements while providing the flexibility to adapt to evolving business needs and security landscapes.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *