As hybrid work becomes the norm, enterprises are under increasing pressure to secure remote access without compromising user experience. Traditional SSL VPN solutions based on usernames and passwords are no longer sufficient to defend against modern threats such as credential theft, phishing, and MFA fatigue attacks.
At the same time, organizations are adopting Always-On VPN to enforce continuous access control and align with Zero Trust principles. However, this introduces a new operational challenge:
A single misconfiguration can result in VPN connection loops, endpoint lockouts, and widespread disruption to business operations.
This leaves many IT teams with a critical question:
Is certificate-based authentication worth the added complexity of PKI and endpoint management?
This guide provides a practical, end-to-end breakdown of how to design and deploy a Certificate-First Always-On IPSec VPN using FortiClient EMS 7.4.5, focusing on real-world architecture, deployment workflows, and failure prevention.
Table of Contents
- Part 1: Why Certificate-Based Authentication Is Becoming the Default
- Part 2: Architecture Overview: FortiGate + EMS + PKI
- Part 3: Deployment Deep Dive
- Part 4: The Biggest Risk: Always-On VPN Lockout
- Part 5: Common Failure Points
- Part 6: Real-World Deployment Insight
- Part 7: Planning Considerations
- Part 8: FAQ

Part 1: Why Certificate-Based Authentication Is Becoming the Default
Traditional VPN authentication relies on user credentials. While easy to deploy, this approach introduces several risks:
- Credentials can be reused, leaked, or phished
- Attackers can bypass MFA through advanced techniques
- No verification of device trust
Certificate-based authentication addresses these limitations by shifting trust from user identity to device identity.
Key Advantages
- Strong cryptographic authentication
- Resistance to phishing and credential reuse
- Automatic, non-interactive authentication
- Seamless integration with Always-On VPN
In Always-On scenarios, certificates enable VPN connections to be established silently at system startup—without requiring any user interaction.
Part 2: Architecture Overview: FortiGate + EMS + PKI
A successful deployment depends on tight coordination between multiple components.
Core Components
- FortiGate Firewall — IPSec VPN gateway and policy enforcement
- FortiClient EMS 7.4.5 — Endpoint management and configuration orchestration
- PKI Infrastructure (AD CS / Azure / Intune) — Certificate issuance and trust
- Identity Source (optional) — Active Directory or Azure AD
End-to-End Workflow
- Endpoint receives a machine certificate via PKI
- FortiClient selects the certificate based on EMS profile configuration
- IPSec tunnel is initiated using IKEv2
- FortiGate validates the certificate against trusted CA
- Access policies are enforced based on device identity and posture
This architecture ensures that only trusted and managed endpoints can access internal resources.
Part 3: Deployment Deep Dive
1. Zero-Touch Certificate Distribution
Manual certificate deployment does not scale.
Instead, use:
- Active Directory Group Policy (GPO)
- Mobile Device Management (MDM) tools such as Microsoft Intune
Best practice:
- Issue machine certificates with hostname as Common Name
- Distribute root CA certificates automatically
This enables seamless and scalable certificate lifecycle management.
2. FortiClient EMS Profile Configuration
FortiClient EMS acts as the central control point for endpoint behavior.
A key requirement is ensuring that the correct certificate is selected automatically.
Example configuration concept:
WIN10*
- Matches endpoint hostname
- Ensures correct certificate selection
- Avoids manual user interaction
Misconfiguration at this stage is one of the most common causes of deployment failure.
3. Enabling Pre-Logon Always-On VPN
To achieve true Always-On behavior, VPN connectivity must start before user login.
true
This ensures:
- VPN connection is established at system startup
- Domain controllers are reachable at login
- No dependency on user action
4. FortiGate IPSec Configuration (IKEv2 Requirement)
A critical detail in FortiClient EMS 7.4.5 deployments:
IKEv1 is no longer supported for IPSec VPN.
Required configuration:
- IKEv2 protocol
- Authentication method: X.509 Certificate
For environments with restrictive networks (e.g., public Wi-Fi):
- Enable IPSec over TCP or Auto mode
- Improve tunnel stability across varying conditions
5. Pre-Logon to User Session Transition
A well-designed workflow looks like this:
- Device boots and connects to the internet
- FortiClient establishes VPN using machine certificate
- User logs into the system
- EMS applies user-based policies or ZTNA tags
This creates a seamless experience where:
- VPN is always active
- Authentication is invisible
- Security is enforced continuously
Part 4: The Biggest Risk: Always-On VPN Lockout
The most critical failure scenario in Always-On deployments is endpoint lockout.
If:
- VPN fails to establish
- Network lockdown is enforced
Then:
- The endpoint cannot access internal or external resources
- The user is effectively locked out
How to Prevent Lockout Scenarios
1. IPSec to SSL VPN Failover
Automatically switch to SSL VPN if IPSec fails. Useful in networks blocking UDP traffic.
2. Captive Portal Exceptions
Allow access to Wi-Fi login pages to prevent connection deadlocks in public networks.
3. Break-Glass Access Strategy
Require password for EMS disconnect instead of disabling it, allowing IT teams to recover endpoints remotely.
Part 5: Common Failure Points
The following table summarizes typical failure points and causes:
| Issue | Typical Cause |
| Certificate mismatch | Incorrect template or CA trust chain |
| VPN connection loop | Authentication failure with Always-On retry |
| EMS sync issues | Endpoint not receiving updated profiles |
| Tunnel instability | Network restrictions blocking IPSec |
Most issues arise not from individual misconfigurations, but from misalignment between PKI, EMS, and VPN configurations.
Part 6: Real-World Deployment Insight
A mid-sized enterprise with approximately 500 remote users transitioned from a traditional SSL VPN to a certificate-based Always-On IPSec architecture.
Before:
- Frequent password resets
- Increased phishing-related incidents
- Inconsistent VPN usage
After:
- Seamless, always-connected remote access
- Reduced security incidents
- Lower operational overhead for IT teams
The success of the deployment was largely due to:
- Automated certificate distribution
- Controlled pilot rollout
- Careful fail-safe design
Part 7: Planning Considerations
When preparing for deployment, organizations often underestimate:
- Hardware capacity for concurrent VPN sessions
- Compatibility between FortiOS and EMS versions
- Licensing requirements (ZTNA, EMS tiers)
- Network conditions across global users
Addressing these factors early can help prevent redesign and ensure a smoother rollout.
Part 8: FAQ
Is certificate-based VPN worth the complexity?
Yes. It significantly improves security and reduces reliance on vulnerable credentials.
Can I migrate gradually from password-based VPN?
Yes. Many organizations adopt a hybrid model during transition.
What is the biggest deployment risk?
Endpoint lockout caused by Always-On VPN misconfiguration.
How can deployment risks be minimized?
Through pilot testing, staged rollout, and proper fail-safe design.
Do I need PKI for this setup?
Yes. Certificate-based authentication depends on a properly designed and managed PKI infrastructure.
For teams planning production deployment, aligning architecture design with hardware selection early can help avoid unnecessary redesign and performance bottlenecks later.
Learn more about enterprise-grade network hardware and remote access solutions at Router-switch or check inventory and quotes at IT-Price.

Expertise Builds Trust
20+ Years • 200+ Countries • 21500+ Customers/Projects
CCIE · JNCIE · NSE7 · ACDX · HPE Master ASE · Dell Server/AI Expert



































































































































