What’s New in FortiClient 5.4

Deploy FortiClient using Microsoft SCCM 2012

The Microsoft System Center 2012 Configuration Manager (SCCM) may be used to deploy and manage multiple FortiClient Installations. This section presents various scenarios that you can utilize.

A fully functional SCCM server, along with discovered devices, is required. Visit the Microsoft web site for supporting documentation.

These instructions assume you have already installed and configured SCCM. If you have not, please refer to Microsoft’s online help sources for information on this task.

The Microsoft System Center2012 Configuration Manager (SCCM) may be used to deploy and manage multiple FortiClient Installations. This chapter presents various scenarios that you can utilize.

A fully functional SCCM server, along with discovered devices, is required. Visit the Microsoft web site for supporting documentation.

The following topics are detailed in this section: l SCCM setup l Task sequences l Task sequence examples for FortiClient.

SCCM setup

Microsoft maintains a public free virtual lab of the System Center2012 Configuration Manager (SCCM) at http://technet.microsoft.com/virtuallabs/bb539977.

At this page you can access a completely installed and properly configured system that can be used for testing various SCCM deployment scenarios. For ongoing enterprise use, a new system has to be created and configured.

The following subsections discuss some of the preparations required to enable control of FortiClient host computers.

Client discovery options and configuration

The uses various methods to discover the Windows devices that an administrator can control on the network. One such method is the use of a common domain. To use this method, the Windows server hosting the Configuration Manager should be configured as domain controller. All Windows devices that will be managed should then join the domain. The Configuration Manager automatically discovers all Windows devices that join.

Client installation

The Configuration Manager console may be used to install configuration manager client software on target Windows devices that have joined the controlled domain. This is required for pushing the configuration to the devices.

Client policy polling interval settings

The configuration manager client on each Windows device polls for policy changes on the server at a regular interval. The polling interval defaults to 60 minutes. Each newly pushed or deployed task will run on all selected clients within this polling interval. You can customize the polling interval as required.

Client collections

New configurations are usually deployed to collections of devices. All of the devices that have joined the controlled domain will be added to a default collection.

You may want to deploy a different set of configurations to different groups of devices based on your user base. This can be accomplished by creating different client collections. Devices that have joined the domain will be added to one or more of those collections. Configurations may then be selectively deployed.

Client security issues

The Configuration Manager is able to deploy a large variety of applications to all the devices that joined the domain. Most of these tasks run with the administrator or system user authorisation level on the client devices. It is important to keep the Configuration Manager host under the highest level of security control possible.

It is also important to always test new planned application deployments in a controlled lab environment, or on a small client collection, before deploying to the entire client base.

Network share for all clients

The Configuration Manager console is used to deploy applications to client devices. Some of the applications require specification of files by file path and name. The client devices must have access to the files when the applications run. For instance, to upload a FortiClient XML configuration file to a given client collection, all client devices in the collection must independently have local access to the new XML configuration file.

The files may be provided by any suitable method. Examples include use of an HTTP or FTP server. The examples in this document use a network share. This should be available to all devices on the given client collection.

Task sequences

The Configuration Manager provides task sequences as a means of deploying commands to discovered clients without requiring user intervention. The FortiClient configuration examples in this chapter use the Run Command Line task sequences to run various command-line commands on client devices.

Here is a simple example of how task sequences may be used to control client devices.

In this example, a simple set of command-line commands are created in the Configuration Manager console. Once deployed, the commands will print information requested to the log file for each client.

The following commands will be executed on each client:

cd dir c:\users whoami

The first command will print the current working directory. This is likely to be c:\windows\system32. The second command will print the contents of the specified directory. The third command will print the name of the current user (the user under which the task sequence is running).

The output of the commands can be found in the log file on each client device at:

C:\Windows\CCM\Logs\smsts.log

To create a new task sequence:

  1. Launch the Configuration Manager The Configuration Manager console opens.
  2. Select Software Library > Overview > Operating Systems > Task Sequences.
  3. Right-click the Task Sequence menu item and select Create Task Sequence.

Alternatively, you can select Create Task Sequence in the toolbar.

The Create Task Sequence Wizard opens.

  1. Select the Create a new custom task sequence radio button. Then select Next to proceed.
  2. Enter a name for the task sequence.
  3. Enter a comment to describe the task sequence.
  4. Select Next to proceed.

A summary of the task sequence configuration is displayed.

  1. Select Close to save the configuration. The new task sequence is created and displayed in the Configuration Manager
  2. Select Task Sequences in the menu in the left pane of the Configuration Manager The new task sequence is displayed in the right pane.

To add individual tasks into the task sequence:

  1. Right-click in the newly created task sequence.
  2. From the shortcut menu list, select Edit. The Task Sequence Editor dialog box is displayed. Alternatively, select the Task Sequence and select the Edit icon in the toolbar.
  3. Select the Add drop-down button.
  4. From the drop-down list, select General and the select Run Command Line. A new tab is displayed in the right pane of the dialog box.
  5. Configure the following settings:
Name Enter a name for the command.
Description Enter a description for the command.
Command line Enter the command line in the text field.

The command will usually start with “cmd /c”. For instance, the first command in this example is entered as: cmd /c cd

  cmd /c dir c:\users
  cmd /c whoami
  1. Select Apply to apply the configuration.
  2. Select OK to continue.

The task sequence will be saved with the three command-line tasks. To view or modify the tasks, select Edit in the short-cut menu for the selected task sequence.

There are three commands in this example. Each of the commands may be created as a single task. There will be a total of three tasks in the left pane of the dialog box. Each of the tasks will have one of the command-line commands:

cmd /c cd cmd /c dir c:\users cmd /c whoami

This format is preferred as it isolates any client errors to a specific task.

The three commands may also be combined into a lengthy single command:

cmd /c cd ; dir c:\users ; whoami

This format may mask task sequence errors. It is not recommended.

There is also an option to use a batch script.

Deploy the task sequence:

  1. Right-click the task sequence.
  2. Select Deploy in the right-click menu list. The Deploy Software Wizard dialog box opens.

Alternatively, select the Task Sequence and select the Deploy icon in the toolbar.

  1. Select Browse.

The Browse Collections dialog box appears listing all currently configured client collections.

  1. Select the client collection to which this task sequence should be deployed
  2. Select OK to close the Browse Collections dialog box. Pressing CTRL returns you to the General tab of the Deploy Software Wizard dialog box.
  3. Select Next. The Deployment Settings tab is displayed
  4. In the Purpose drop-down menu select Required. This makes the task mandatory for all clients receiving it.
  5. Select the Send wake-up packets checkbox to enable this feature.
  6. Select Next. The Scheduling tab is displayed
  7. Select New. In the Assignment Schedule dialog box select the Assign immediately afterthis event radio button.
  8. Select OK. This closes the Assignment Schedule dialog box. The Scheduling tab is displayed.
  9. Select Next. The UserExperience tab is displayed.
  10. Select the Show Task Sequence progress checkbox to enable this feature.

This configuration is optional. It displays a progress dialog box on each client as the task executes. If a silent background execution of tasks is desired, leave this checkbox unchecked.

  1. Select Next. The Distribution Points tab is displayed. For this example, there is nothing to change in this tab.
  2. Select Next. The Summary tab is displayed.
  3. Select Next. The Completion tab is displayed which shows a summary of all selections.
  4. Select Close to close the Deploy Software Wizard.

This completes the deployment of the task sequence to the selected client collections. Client devices in the collection should start to receive and execute the task. All clients will run the task within the Policy Polling Interval configured.

Monitor a deployed task sequence:

  1. Launch the Configuration Manager
  2. Select Monitoring from the tree-menu.
  3. Select the Overview menu item in the left pane to expand the menu.
  4. Select the Deployments menu item. The list of deployments is displayed in the right pane.
  5. Click to select the recently deployed task sequence in the right pane. The Deployments window is displayed.

To monitor a deployed task sequence on the client device, use the following process:

  1. Launch the Software Center console on the client device. It displays a list of tasks deployed to it.
  2. Select the Task Sequence. The current status is displayed.

In addition to the two monitoring procedures above, the client log file is available on the client device at:

C:\Windows\CCM\Logs\smsts.log

It will contain details of the task sequence, including:

l the command-line commands executed l any output generated by the commands l any error messages

Map a network drive

When a file is referenced in a task sequence, it must be made available to all clients before the task sequence starts. The processes listed below explain how to map a network folder to a drive in a given task sequence. If the mapping is successful, all the files in the shared folder will be available for the command-line commands in the task sequence.

To map a network drive in the task sequence:

  1. Create a new custom task sequence.
  2. Edit the task sequence. The Task Sequence Editor dialog box is displayed.
  3. Select the Add drop-down button.
  4. In the drop-down list, select General > Connect to Network Folder. A new tab is displayed in the right pane of the dialog box.
  5. Type a name for the command.
  6. Type a description for the command.
  7. Type the full path to the network shared folder or use the Browse button to select it. Here is an example of a valid path: \\172.21.85.245\accounts_dept.
  8. Type a drive letter, along with a colon. For example: G:
  9. Select Set and provide a user name and password that is valid for the network shared folder selected.
  10. Select OK to return to the Task Sequence Editor dialog box.
  11. Select Apply to save the task.

More tasks may be added to the task sequence as described in earlier parts of this section. Tasks may be reordered using the other buttons provided in the top of the left pane in the Task Sequence Editor dialog box.

  1. When all tasks have been added, select OK to close the dialog box.
This entry was posted in Administration Guides, FortiClient and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “What’s New in FortiClient 5.4

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.