When looking into this, I found this device called a remote AP. It’s an access point that can be preconfigured to set up a VPN to a wireless controller. This allows you to set up the device, then go anywhere with network access and plug it in. From there, you’ll start receiving your corporate Wi-Fi. There are three companies that do this to my knowledge: Cisco, Aruba, and Fortinet.
Fortinet Remote AP
Fortinet doesn’t broadcast very well that they do this, but it works nicely. Inside the Fortigate there is a wireless controller. This can manage its local Wi-Fi (FortiWiFi feature) or FortiAPs. Fortigate makes three remote APs and a remote Fortiswitch. The Fortiswitch works the same way but doesn’t have a wireless chipset. The FortiAP 28C is a Fortiswitch 28C with Wi-Fi, built for a little more than small team. The FortiAP 14C, built for small team and about the size of smartphone. Lastly, the 11C which has the power adapter built in and is for a duo or trio.
These APs are light and compact. Once you configure one of these devices, they can essentially plug and play. Just plug in the ethernet cord and the power and it will automatically connect up to your work. It works by creating a secure IPSEC VPN to your network. This is great for a traveling salesman or group of engineers that need get some work done while away from the office. You can also use this for a remote site. If it’s not practical to send a tech onsite for a few users, it’s easy to configure this and ship it to them.
Setting this up is very simple. In your Fortigate, go to the wireless controller and make a SSID. Then, create a custom AP profile for the device or group of devices. Now, you can add the IP of your Fortigate to the WTP configuration (on static) and set your network configuration to DHCP. You now just make the appropriate policies for the SSID, as if the SSID was another physical port on the device.
You can also put the SSID and the internal on a software switch, if your subnet can fit all the devices. I recommend these instructions from Fortinet. When checking the connection to the AP, it is under Wireless controller and managed access points. It creates an IPSEC VPN but it doesn’t show up in the monitor (even in CLI).
This device can be easily set up for mobile users or remote sites. You can use a FortiAP to turn your hotel room into your new office. You can have multiple laptops sharing corporate data and phones to call your colleagues. When you have a remote site, it works the same way. You configure the device, ship it, plug it in and it works. This is the perfect device for the CEO who works from home and needs everything. (Laptops, phones, printers, etc.)
This is a good device but it’s not right for every scenario.
The device doesn’t allow split tunneling, which means your speed is capped by the lowest speed between corporate site and remote site (up and down). This isn’t a factor for the remote user but, the remote site could experience speed issues. The AP controller address only allows for 16 characters. This is because it only accepts IP addresses for the Wi-Fi controller.
When I tested my AP, I had the local address first in the controller list and the public second. The site I was at had a similar addressing scheme and it never went to the second address. You need a wired internet connection to the device.
I think if Fortinet added split tunneling, 3G/4G/LTE onboard, and made it so you could add the MAC address of the Fortigate for local access (to fix the addressing issue), it would make possibly one of the best things Fortinet offers because the main Fortigate pushes applies its UTM features to the AP.
The Bottom Line
If you didn’t read anything above, the FortiAP is a great device that can allow a small group of people connectivity to the corporate network and all the UTM features of the Fortigate. This can connect laptops, desk network phones, printers, and has Wi-Fi. The great thing about a remote AP, it doesn’t have to be a separate segment of your network. It can be an extension of your actual network, using the same IPs and subnet.