VPN before Logon

Is VPN before logon, like we had in FortiClient 6.0, ever coming back for non-EMS customers? They say the VPN does not require EMS, but starting in 6.2 where it is a separate app (instead of the same app and just not activating EMS features), they ripped out critical features like this.

Being able to connect to the corporate network from a button on the Windows login page, before logging in, allows authenticating your Windows login against a DC just like if you were on site, rather than cached credentials. This is absolutely critical to:

• forgotten password resets
• field personnel passing off a laptop to a fellow employee who hasn’t been cached on it
• Primarily desktop users who have a laptop for occasional remote use, haven’t used it since before their last password expiration. They know their current password, but not the one cached on that laptop.

A VPN that cannot connect without a successful Windows logon by the end-user is a joke or a toy, and not an enterprise product or even a business product. Is this ever going to be rectified, or is the new model still “screw anyone who can’t afford EMS”?

Between this, Windows Always On VPN Device Tunnel being limited to Enterprise editions, Azure AD not being self hostable like AD, and the dwindling availability of remote support software that uses a hosted server, I get the feeling tech companies are colluding to sabotage capabilities that make mobility practical with things you own, as part of a scheme to sell the narrative that mobility can only be rented (or is “enabled by the cloud”). But maybe I’m just a conspiracy theorist. In any case, I’d like to keep VPN before logon as 6.0 goes EOL, and like most SMBs, cannot buy a huge bundle of other features we don’t need to go with it.

Ems is what 10$ per device per year? Who’s money are you saving?

Azure AD not being self hostable like AD

Um… I get your overall complaint, but… this item? I’m not sure why you think that Cloud AD should be self-hosting when non-cloud-AD still exists. On the grounds that I’m overlooking something, what are you asking for from Azure AD that you couldn’t get by spinning up your own Windows server with the AD role on it?

​

Being able to connect to the corporate network from a button on the Windows login page

Most vendors are going to differentiate between standard features and features that pertain to enterprise networks, and they’re going to try and charge more for the enterprise level stuff.

And as long as Microsoft segments “Always On VPN” to enterprise licensing, then 3rd party vendors are going to consider it safe to do the same (or similar) with their corresponding solutions.

For what it’s worth, this trend is not going to slow down unless we start to see fairly easy to integrate OSS options that compete with them.

You’re gonna need EMS for that my friend. Save Password VPN before connect among other features have been moved to licensed based FortiClient

This is always my nightmare with vendors like Fortinet. They cut up critical features and move them into more expensive tier to squeeze some juice out of the customer base.

On the flip side, there’s a ton of options for VPN now and am looking at replacing some old hardware based VPNs (Fortigates and others).

So far, I’m liking the fact that some of the newer entrants are offering pretty generous free tiers and self-serve trials that make it easy to test. Cloudflare and Twingate are good free options and am testing those and others right now.

I did see that Twingate offers something that can do the VPN before logon flow if you want to check it out.

I feel for you though if you end having to just bite the bullet and upgrade to EMS. Painful to switch something if it’s mostly working.

Hi,

Just in case someone is still looking into this, FortiClient 6.0.5 still works with FortiOs 7.0.9, VPN before logon and all. It probably works on 6.0.9 but I haven’t had the chance to try it yet.

I just experienced that on a 301E that has just been upgraded from 6.2.11 to 7.0.9, and this is great news actually.

This… it’s indeed very cheap and gives you additional security features such as web filtering, telemetry sharing, ztna and more….

We’re an essential company. We don’t like to buy things that will stop working if, for any reason from fiscal to apocalyptic, they can’t be renewed. Exceptions only for things that have to be subscription, and become less secure but don’t self-destruct their basic ability to forward packets at expiration (i.e. definition updates)

And as for “it’s only $10”… if that was a valid reason for the industry to bow to subscriptionification of self-hosted software and hardware, soon we’ll be paying “only $10” for each browser, each OS, each application, access point, switch, keyboard, mouse, webcam, monitor, telephone, etc, every month.

FortiGuard makes sense because it is a continuous service of experts producing new definitions for you, and new firmware updates. Something like that is by necessity subscription, as it is worthless as a static product and must keep up.

Two pieces of hardware I own establishing a connection to one another is a very different story. I will always do everything in my power to oppose the deliberate subscriptionification of things like that. Yes, anyone who takes security seriously will need to pay for patching, but a feature between two devices I own should never stop working because it wasn’t paid for again and again. It keeps doing what it does, without further input from Fortinet. If I don’t demand new work forever, I don’t pay forever. That’s economics.

This trend is:

• exploitative (especially as in business context a couple years is nothing, and they don’t commit to long term pricing when they suck you in to subscriptions).
• unnecessarily complex (possible activation issues for things that ought not even need it)
• a global security risk - decentralization is the internet’s greatest asset, and a company that makes products that will deliberately break if said company no longer exists to renew them is dangerous. Critical industry runs on networks. Without technology, we don’t manage the logistics of food distribution, manufacture or transport medical goods, or do any number of critical things on the scale we’ve come to depend on. A company can cease to exist if it goes bankrupt, is convicted of enough antitrust crap, or if it’s based in a major target like Silicon Valley and the current reckless escalatory games between nuclear powers take a bad turn. The entire world’s technology should not deactivate or self destruct in this case and make a bad situation that much worse as we revert to the stone age.

Are there any vendors left that don’t do this subscriptionification crap and try to turn every product into a service?

what are you asking for from Azure AD that you couldn’t get by spinning up your own Windows server with the AD role on it?

AD is a heap of insecure protocols patched up “well enough” over time. Azure AD’s protocols are built with security in mind, guarded by SSL, and run VPN-less over the internet.

As we have seen with managed AV stuff like ESET and remote support stuff like ConnectWise Control, which can be self hosted and you forward the needed ports inbound, web-safe protocols that don’t require a VPN are not intrinsically tied to the cloud. There is no technical reason such things cannot exist in your datacenter. Self-hosted services that run over the web DO exist, they are just being killed off at an alarming rate, and new ones are not being offered self-hosted.

What does this have to do with FortiClient and other VPNs working before logon? Simple: that’s a feature that makes on-prem AD somewhat viable in a mobile workforce. The collective decision of the software industry to deny us this on a non-subscription basis goes hand in hand with the decision to deny us a modern VPN-less version of AD that we host ourselves. The purpose is to push the narrative that seamless and secure mobility is necessarily cloud-based. They have decided mobility means you need to pay monthly/yearly.

Any existing tools that let you non-obnoxiously integrate mobility into non-subscription products - like VPN-before-logon to make AD fully viable for remote users - is being crippled for non-subscription users because it’s a threat to the notion that mobility without recurring subscriptions can’t work well.

Most vendors are going to differentiate between standard features and features that pertain to enterprise networks, and they’re going to try and charge more for the enterprise level stuff.

Yeah, fine. Nobody said having premium features is a bad thing. The issue isn’t price, it’s subscriptions.

They are trying to fundamentally change the business model. When you sell something, you have to contend with a risk that if you don’t improve it enough, mess it up, or you try to raise your price, people might just keep what they have and not pay you again for longer. For example people who skipped Windows Vista because it was a dumpster fire.

With a subscription, you declare yourself a tax authority who taxes a business’s ability to continue operating on technology they already depend on. And just like a government, you have a captive revenue base that you can depend on whether you produce anything new that they actually want or not. You have no incentive to serve your customers well.

From an economics perspective, when everything is subscriptionified, the market forces and incentives that cause companies to do what their customers want, improve products, and be careful about bugs are diminished substantially as they can depend on their captive, already-dependent revenue base for a long time no matter how badly they screw up.

Great! However, I would expect that using it forever would eventually result in insurance or audit complications for many orgs, as it’s going to be “unsupported”…

FortiClient does not stack up as a replacement for our endpoint AV/security product which also does web filtering and other things. Why would I buy redundant software, which may even conflict in some way (nobody advises having two AV’s)?

Not sure about the first part… Just use the inbuilt IPsec in windows then?

The client were migrating to Fortinet is coming from a Cisco ASA about to go end of life and get that feature with AnyConnect so I suppose you could go to ASA running on Firepower boxes, or go with Firepower but I wouldn’t wish that on my worst enemy.

I agree that it seems shitty to have to pay for VPN licensing as a subscription to allow VPN to connect when I don’t want or need the other FortiClient or EMS features but I don’t know if a decent alternative (although I don’t have PAN experience so maybe they can do it? that’s the only firewall vendor I’d consider for serious use)

The purpose is to push the narrative that seamless and secure mobility is necessarily cloud-based.

They have decided mobility means you need to pay monthly/yearly.

While I don’t necessarily agree that pushing that narrative is a primary goal, it certainly could be #3 or 4 on the list.

Vendors want more consistent and persistent income. As a customer, I am somewhat annoyed by this, but my annoyance is a little tempered by the fact that I am trying to do the same thing with my business.

So, #1 motive = revenue.

Motive #2, in my mind, is support. It is much easier for Microsoft, Amazon, Google, et al, to support a very limited number of versions and instances of their code, than multiple versions of their code across lots and lots and lots of instances. This ties back to motive #1 in two ways.

-- more support eats into revenue

-- customers don’t upgrade on your schedule, they upgrade on their own, thus less revenue.

​

AD is a heap of insecure protocols patched up “well enough” over time. Azure AD’s protocols are built with security in mind, guarded by SSL, and run VPN-less over the internet.

Just because Microsoft is able to provide identity services within their cloud environment in a secure way, doesn’t mean that it could be easily self-hosted. We have no real idea of how much is going on behind the scenes in terms of hardware and software to make that stuff work well for the portions that are exposed to us.

So, while I partially share your concerns, I don’t fully agree with your analysis, nor your proposed solution.

Could Microsoft package and offer an Azure AD Lite that was more locked down? Sure, they could probably do so. But, it’s not really in their best interest to do so. They are spending gobs and gobs of funds to run Azure, and that place is not going to pay for itself if all the features it has are offered somewhere else.

And, a huge part of why any solution is insecure has everything to do with configuration – and most end-user organizations are not that good at secure configuration management.

The only way this changes is if the OSS community provides robust and relatively easy to use solutions in a few of these areas, AND businesses push back on the costs of cloud, etc. But, it is not likely to happen. The costs of self-hosting are non-trivial for larger orgs, and very complex for the smallest orgs also.

Thanks for your response to my earlier post. This additional context was very helpful.

The client were migrating to Fortinet is coming from a Cisco ASA about to go end of life and get that feature with AnyConnect

While you get a better client with AnyConnect you still have to pay for VPN licenses with AnyConnect.

and that place is not going to pay for itself if all the features it has are offered somewhere else.

Exactly! They have the option to make sure it is not “offered somewhere else”. If a non-monopoly decided something shouldn’t be “offered somewhere else” in a way many, many customers would want - then their company would die. Companies in a competitive marketplace don’t get to decide a better option customers want shouldn’t exist.

For example, if Ford decided cars could only be leased, that’d be a real great decision… for all the other brands anyway, as they’d get all the non-lease customers! Only way Ford would survive and thrive on such a move is if most existing roads and gas pumps were somehow only compatible with Ford.

So you’ve made my point for me. Microsoft has recognized its own ability to make decisions about what is and isn’t available in the market as a whole, and is exercising that deliberately in a way a non-monopoly couldn’t ever survive attempting. Their actions are a de facto acknowledgement of their own monopoly status. Unfortunately the bought-and-paid-for joke that calls itself the United States government has totally abandoned antitrust when it comes to operating systems and platform lock-in.

If a non-monopoly decided something shouldn’t be “offered somewhere else” in a way many, many customers would want - then their company would die.

Um… Many, many SaaS companies – which are clearly not monopolies – do the same thing. They only offer a cloud instance of their app, or the put far more features in their cloud instance than in any on-prem option they might or might not offer.

This is not a function of being a monopoly. Can it be used by an org with monopoly-like reach? Sure. Everything a company with competitors can do, an org with a monopoly can also do. But this is more about ROI than market strength.

None of the big three cloud providers is offering self-hosting options for their environments. (Microsoft is at least doing hybrid options.) Not AWS, not Microsoft and not Google. (And Microsoft is not even the largest of the big 3.)

Your original complaint was about Fortinet and the VPN feature. Surely, you don’t mean to suggest that Fortinet has a monopoly in VPN or networking or firewalls?

This is not about being a monopoly.

No Fortinet is not a monopoly. There are other vendors not doing this crap and we very well may use one at next replacement.

You turned the conversation towards my comment about Azure AD subscriptions being the only mobility-friendly AD option - Microsoft is an effective monopoly, holding hostage decades of third-party apps in the circlejerk of “gotta develop for Windows since everyone has it, and then gotta have Windows since everyone develops for it”. That’s the only reason they can move their entire management system to the cloud and not lose their business, while FortiGates at least continue forwarding packets without a subscription. FortiGate would not get away with Microsoft’s crap because only a monopoly can.