An IT department must provide wireless security to employees connected over remote hortiAP devices who...

The scenario involves employees connecting via remote FortiAP (FAP) devices, with a requirement to enforce corporate security policies for all wireless stations at branch/remote sites.

Teleworker topology (also called remote AP, or split-tunnel mode) is designed exactly for this:

FortiAP at remote sites connects to the main office FortiGate via a secure tunnel (CAPWAP over VPN or DTLS).

Traffic destined for corporate resources is tunneled back to the main office for full security inspection and policy enforcement.

Local internet-bound traffic can be split off locally (split-tunnel) or tunneled back as well (full-tunnel), based on policy.

This ensures all employee wireless sessions accessing corporate resources are subject to central security policies, without requiring local IT staff.

Option A (VPN tunnels) is part of the teleworker topology but doesn't by itself ensure wireless security enforcement or policy application for wireless stations—teleworker/split-tunnel is more precise.

Option B is impractical and unnecessary.

Option C moves resources to the cloud, but this does not ensure security enforcement for wireless clients over remote links.

Summary: Teleworker topology on FortiAP allows secure, policy-enforced connectivity from remote sites back to HQ for all wireless stations.