Chapter 14 Managing Devices for FortiOS 5.0 : Endpoint Protection : Configuring endpoint registration over a VPN
  
Configuring endpoint registration over a VPN
FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel-mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.
Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser can be redirected to a captive portal to download and install the FortiClient software. The security policy must enable Redirect all non-compliant/unregistered FortiClient compatible devices to a captive portal, but not select any specific device types.