Home

Solving the FortiClient VPN Mystery: Why Remote Access Disappears and How to Restore It

.

For IT administrators managing remote workforces, few issues are as urgent as a virtual private network (VPN) that simply vanishes from an employee's endpoint. Across Fortinet community forums and support channels, a persistent problem emerges: the Remote Access tab or feature disappears from the FortiClient graphical user interface (GUI) on managed endpoints. This leaves users stranded, unable to connect to corporate resources, and administrators scrambling for a fix.

This article synthesizes solutions from official Fortinet documentation and community troubleshooting threads to provide a comprehensive guide to diagnosing and resolving this disruptive issue.

The Core of the Problem: Why the VPN Feature Vanishes

The disappearance of the Remote Access feature in FortiClient is rarely a client-side bug. Instead, it is almost always a configuration or communication issue between the FortiClient endpoint and the FortiClient Endpoint Management Server (EMS). When managed by an EMS server, the client's interface and capabilities are dynamically controlled by profiles and policies pushed from the central administrator.

Based on analysis of recurring community reports and official guides, the root causes typically fall into four categories:

  1. A Specific XML Configuration Flag: A hidden setting within the Remote Access profile on the EMS.
  2. Licensing and Grace Periods: The endpoint's licensed features expiring due to a lapsed connection to EMS.
  3. Client Installation or Version Issues: Problems arising from the installation process or version mismatches.
  4. Policy and Profile Configuration: Incorrect or conflicting policy assignments on the EMS.

Root Cause 1: The Hidden XML Setting (The Most Common Fix)

A highly specific solution, documented by users in the Fortinet Community Forum, involves a single parameter in the EMS profile's XML configuration.

The Problem

Even if a Remote Access profile is correctly assigned to an endpoint policy, the feature may not appear in the FortiClient GUI. Administrators confirmed that the profile was applied, and other features were visible, but the Remote Access tab was missing.

The Solution

The fix requires editing the Remote Access profile directly on the EMS server:

  1. In the FortiClient EMS console, navigate to Endpoint Profiles > Remote Access.
  2. Edit the relevant Remote Access profile.
  3. Click the XML option (typically located in the top-right corner of the editor).
  4. Scroll through the XML code and locate the following tag:
    <remote_access_enable>0</remote_access_enable>
  5. Change the value from 0 to 1.
  6. Save the profile and redeploy it to the affected endpoints.

Once the updated profile syncs to the FortiClient, the Remote Access feature should become visible. One community member noted that after making this change, a simple reinstallation of the client on the endpoint triggered the tab to reappear.

Root Cause 2: EMS Licensing and Connection Grace Periods

When FortiClient is managed by EMS, its licensed features are maintained through a regular "check-in" with the server. If this connection is broken, features can disappear after a grace period.

The Problem

Users report that the Remote Access feature was present immediately after installation but vanished after several days. This is a classic symptom of the endpoint failing to maintain a licensed connection to the EMS.

The Solution

Administrators must verify two key settings on the EMS:

  1. Endpoint Connection to EMS: On the affected FortiClient, check the Zero Trust Telemetry or connection status tab. It must show a successful and current connection to the EMS server address. If it does not, resolve the network or firewall issues preventing this connection.
  2. License Retention Period in EMS: In the EMS, navigate to System > Settings > Endpoints. Here, an administrator can define the "License Retention Period in Days." This setting determines how long an endpoint retains its licensed features after its last successful connection to EMS. Ensure this period is set appropriately for your network environment.

As stated in an EMS administration guide, the "Remote Access" checkbox in the profile "has no effect on FortiClient Android and iOS where the remote access feature is always enabled regardless of the EMS configuration." This issue is primarily relevant to Windows and macOS clients.

Root Cause 3: Client Installation and Version Management

Sometimes, the issue stems from the local client installation or a version mismatch with the EMS.

The Problem

Corrupted local client files or installing a FortiClient version that is not fully compatible with the EMS server version can lead to missing features.

The Solution

  1. Clean Reinstallation: Perform a complete uninstallation of FortiClient from the endpoint using the official FortiClient Uninstall Tool (available from Fortinet support). Then, reinstall the correct version of the client, ensuring it connects to EMS during or immediately after setup.
  2. Version Compatibility: Consult the Fortinet documentation to ensure the FortiClient version on the endpoint is supported by the version of the EMS server. Deploying client upgrades through the EMS console is the most reliable method to maintain compatibility.

Root Cause 4: Profile and Policy Assignment Conflicts

The structured nature of EMS management means a missing feature can result from an incorrect policy assignment.

The Problem

An endpoint may be receiving a policy that either does not include a Remote Access profile or is being overridden by another configuration.

The Solution

  1. Verify Policy Assignment: In EMS, go to Endpoint Policy & Components > Manage Policies. Check which policy is assigned to the endpoint or endpoint group in question. Edit that policy and confirm that the correct Remote Access profile is selected in the VPN section.
  2. Check for Multiple Assignments: Ensure the endpoint is not receiving conflicting profiles from multiple policy sources (e.g., both an individual endpoint assignment and a group assignment).

Diagnostic Flowchart: Finding Your Fix

The following flowchart provides a systematic method for troubleshooting the missing Remote Access feature based on the root causes detailed above:

flowchart TD     A[Remote Access Tab Missing<br>in FortiClient GUI] --> B{Is FortiClient<br>successfully connected to EMS?}      B -- No --> C[Resolve EMS Connection Issue<br>Check network/firewall]     C --> D[Verify license retention<br>period in EMS settings]      B -- Yes --> E{Is a Remote Access Profile<br>assigned in the endpoint policy?}     E -- No --> F[Assign correct<br>Remote Access Profile in EMS Policy]      E -- Yes --> G{Is the<br>remote_access_enable<br>XML flag set to 1?}     G -- No or Unknown --> H[Edit Profile XML on EMS:<br>Set remote_access_enable to 1]      G -- Yes --> I[Perform clean<br>reinstall of FortiClient<br>on endpoint]      D --> Z[Feature Restored]     F --> Z     H --> Z     I --> Z

Frequently Asked Questions (FAQ)

Q: I changed the XML flag to "1" and my users still don't see the tab. What now? A: First, confirm the new profile has successfully synchronized to the endpoint (check the endpoint's status in EMS). If it has, try a clean reinstallation of the FortiClient software on the problematic endpoint, as this can refresh the local configuration cache.

Q: Does this issue affect all operating systems equally? A: No. According to Fortinet documentation, the EMS setting to show or hide the remote access feature has no effect on FortiClient for Android and iOS, where the feature is always enabled. This problem is most common on Windows and macOS installations.

Q: What's the first thing I should check when this is reported? A: Immediately verify the endpoint's connection status to the EMS server from within the FortiClient GUI. A lack of connection is the most straightforward explanation for licensed features, including VPN, disappearing after a grace period.

Q: Can end-users fix this problem themselves? A: Generally, no. Since the cause is almost always tied to central EMS configuration, policy, or licensing, it requires administrative access to the FortiClient EMS console to resolve. The end-user's best action is to report the issue to their IT support team.

In conclusion, the vanishing FortiClient Remote Access tab is a solvable problem rooted in the centralized management architecture of the Fortinet ecosystem. By methodically checking the EMS connection, licensing settings, XML profile configuration, and policy assignments, IT administrators can reliably restore secure remote access to their users.