Challenge
The enterprise retailer needed to strengthen endpoint security by restricting VPN access to compliant devices only. With almost 600 corporate laptops connecting remotely to critical business systems, the security requirement was clear: verify endpoint compliance before granting VPN access, not after.
Fortinet EMS provided the solution architecture. Security posture checks would validate each endpoint before permitting VPN connections, ensuring that only properly configured and compliant machines could access the corporate environment. The technical capability existed. The complexity lay in the existing security ecosystem that it needed to integrate with.
The environment already included CrowdStrike Falcon for endpoint detection and response, Cisco ISE for network access control, and the Fortinet security fabric managing firewalls, authentication, and VPN infrastructure. Deploying Fortinet EMS meant navigating dependencies between all these platforms whilst maintaining business operations for a distributed workforce that relied on VPN connectivity for daily work.
Enterprise security implementations rarely involve single-vendor environments. The challenge wasn’t just deploying EMS; it was ensuring that the solution worked correctly alongside existing security investments without creating gaps or conflicts that could leave endpoints stranded.
Approach
We began with the integration architecture, mapping how Fortinet EMS would interact with the existing security stack. The deployment workflow required endpoints to connect to EMS, receive their VPN configuration and security policies, then use those credentials to establish VPN connections. Simple enough in isolation.
The complexity emerged when we examined the CrowdStrike dependency. The existing CrowdStrike Falcon configuration required VPN connectivity to reach its management console. This created an immediate problem: endpoints needed CrowdStrike to permit access to EMS, needed EMS to receive VPN configuration, and needed VPN to let CrowdStrike function correctly.
We identified this catch-22 during initial testing on a pilot machine. Without resolution, any endpoint that lost VPN connectivity would become stranded, unable to reconnect because the circular dependency prevented any component from functioning independently. For a distributed retail workforce, this meant potential business disruption every time connectivity issues occurred.
Our recommendation addressed the dependency directly: configure CrowdStrike Falcon to permit access to both the EMS cloud URLs and its own management console without requiring VPN. This approach preserved security controls whilst eliminating the circular dependency that could strand endpoints. The client’s security team implemented this configuration based on our architectural guidance.
For the rollout itself, we recommended staged deployment. Starting with a small group of test users would validate the integration, identify any environmental issues, and build confidence before broader deployment. Testing with fourteen users over several days confirmed that the configuration worked correctly: FortiClient installed successfully, connected to EMS, received the correct policies based on Active Directory group membership, and provided VPN access to compliant endpoints.
Solution
The technical implementation centred on policy-based endpoint management through Fortinet EMS. Domain-joined machines received policies automatically based on their Active Directory security group membership, ensuring that the correct VPN profiles were deployed to the right user groups.
The security posture framework operates in two stages. First, endpoints receive their configuration and VPN profiles regardless of compliance status. Second, the security posture check determines whether that endpoint meets compliance requirements for actual VPN connectivity. This separation ensures that devices always receive updated configurations whilst still enforcing compliance requirements for network access.
Key validation checks confirmed successful deployment:
- FortiClient installation completing correctly with embedded EMS configuration
- Telemetry connection establishing between endpoint and EMS cloud
- Policy synchronisation delivering correct profiles based on group membership
- VPN tunnels appearing on endpoints ready for compliant connections
The integration with the existing Fortinet infrastructure, including FortiGate firewalls, FortiAnalyzer, and FortiAuthenticator, meant that EMS became part of the broader security fabric rather than operating as an isolated tool. Security posture tags from EMS can inform firewall policies, creating consistent access control across the environment.
For the 597 corporate laptops in scope, the bulk deployment proceeded through the change window available between change freezes. The compressed timeline meant that deployment happened more rapidly than the phased approach we had recommended, and this revealed additional complexity that extended troubleshooting requirements. Some issues were traced to third-party application interactions rather than the EMS deployment itself, demonstrating how enterprise environments surface unexpected dependencies at scale.
Outcome
The deployment achieved its primary objective: 455 endpoints are now successfully running Fortinet EMS with security posture checks controlling VPN access. The remaining endpoints need to come online to receive their installation, representing a minority that will complete as users reconnect.
The security improvement is substantial. VPN access now requires endpoint compliance verification, closing a gap where any device with credentials could previously connect regardless of its security status. The retailer gained visibility into endpoint compliance across their distributed workforce, with centralised management through EMS providing control that didn’t exist before.
The integration process revealed additional optimisation opportunities for the new year. The Fortinet EMS deployment uncovered an interaction with Cisco ISE involving hostname passing that requires further investigation once the change freeze concludes. Rather than rushing a fix during a restricted period, this becomes part of the ongoing security roadmap, to be addressed properly when testing windows permit.
The deployment also establishes the foundation for planned expansion. The 1,500 licenses purchased accommodate future rollout to store tablets, corporate mobile devices, and bring-your-own-device scenarios. EMS tags will eventually provide consistent web access control across all device types, replacing older authentication methods with cleaner policy-based management.
What Made the Difference
Three factors enabled successful deployment in this complex environment.
The first was architectural analysis before deployment. We identified the CrowdStrike dependency that could have stranded endpoints, discovering this catch-22 during pilot testing rather than during production rollout. This prevented a scenario where distributed endpoints lost connectivity with no path to recovery. The solution we recommended preserved security controls whilst eliminating the circular dependency.
The second was recognising that EMS doesn’t operate in isolation. Every enterprise environment includes existing security investments, and successful deployment requires integrating with CrowdStrike, Cisco ISE, and the existing Fortinet infrastructure rather than treating each platform independently. This multi-vendor awareness shaped both the implementation approach and the troubleshooting methodology when issues emerged at scale.
The third was treating discoveries as roadmap items rather than blockers. The Cisco ISE interaction requires investigation, but it doesn’t prevent the deployment from delivering value now. Security improvements are operating immediately whilst additional optimisation continues through the ongoing partnership.
