Tag Archives: forticlient configuration guide

Appendix A – Deployment Scenarios

Appendix A – Deployment Scenarios

Basic FortiClient profile

In this scenario, you want to configure a FortiClient profile by using the FortiGate GUI. When clients connect FortiClient Telemetry to FortiGate, they will receive the settings configured in the FortiClient profile. You can configure the default profile, or create a new profile. When creating a new profile, you have additional options to specify device groups, user groups, and users.

Create a basic FortiClient profile:

  1. In the FortiGate GUI, go to Security Profiles > FortiClient Profiles. You can either select the default FortiClient profile or select Create New in the toolbar. The Edit Endpoint Profile page opens.

The default FortiClient profile does not include the Assign Profile To setting.

  1. Set the profile settings as required, and click OK.

Advanced FortiClient profile

In this scenario, you have created a custom XML configuration file. The custom file includes all settings required by the client at the time of deployment. When FortiClient connects Telemetry to FortiGate or EMS, you want to ensure that the client receives the full XML configuration. For future configuration changes, you can edit the XML in the profile by using EMS.

To reduce the size of the FortiClient XML configuration file, you can delete all help text found within the <!– …. –> comment tags.

Create an advanced FortiClient profile with the full XML configuration provisioned:

  1. In EMS, go to Endpoint Profiles > Add a new profile.
  2. Select the Advanced.
  3. (Optional) On Install tab, select a FortiClient installer.
  4. On the Configuration tab, overwrite the XML by pasting the XML from your custom XML configuration file into the pane.
    1. Open the FortiClient XML configuration file in a source code editor.
    2. Copy the FortiClient XML.
    3. Paste the FortiClient XML into the Configuration tab.
  5. Click Save.

 

Use Active Directory Groups                                                               Appendix A – Deployment Scenarios

Use Active Directory Groups

Some organizations may choose to deploy different FortiClient profiles to different user groups. FortiGate and EMS are able to send different FortiClient profiles based on the AD group of the user. This requires use of the FortiAuthenticator.

No special configuration is required on FortiClient.

Monitor connected users

Administrators can monitor managed FortiClient users. When the client successfully connects FortiClient Telemetry to the FortiGate/EMS, the client can be monitored on the FortiGate/EMS.

In the FortiGate GUI, all connected clients can be observed on the Monitor> FortiClient Monitor page.

Either of the following FortiGate CLI commands will list all connected clients: l diagnose endpoint registration list, or l diagnose endpoint record-list.

In the EMS, connected clients can be observed on the Workgroups page.

Customize FortiClient using XML settings

FortiClient configurations can be customized at the XML level. For more information, see the FortiClient XML Reference.

Appendix A – Deployment Scenarios                                        Customize FortiClient using XML settings

Silent connection

You may want to configure FortiClient to silently connect to FortiGate without any user interaction. When configured, the user will not be prompted to connect to a FortiGate. The <silent_registration> tag is intended to be used with the <disable_unregister> tab. For more information, see Disable disconnect on page 124. The following XML elements can be used to enable this:

<forticlient_configuration>

<endpoint_control>

<silent_registration>1</silent_registration>

</endpoint_control>

</forticlient_configuration>

Locked FortiClient settings

End-users with administrator permission on their Windows system have access to the FortiClientsettings page. If this is not desired, it can be locked with a password from the FortiGate. The following FortiOS CLI command, when included, requires that any client connected to the FortiGate to provide the password before they can access the settings page.

config endpoint-control profile edit “fmgr” config forticlient-winmac-settings … set forticlient-settings-lock disable set forticlient-settings-lock-passwd <password> …

end

next

end

Disable disconnect

With silent endpoint control connection enabled, a user could disconnect after FortiClient has connected to the FortiGate. The capability to disconnect can be disabled using the following XML element:

<forticlient_configuration>

<endpoint_control>

<disable_unregister>1</disable_unregister>

</endpoint_control>

</forticlient_configuration>

Put it together

Here is a sample complete FortiClient5.4.1XML configuration file with the capabilities discussed above:

<forticlient_configuration>

<partial_configuration>1</partial_configuration>

<endpoint_control>

<enabled>1</enabled>

<disable_unregister>1</disable_unregister>

<silent_registration>1</silent_registration>

<fortigates>

<fortigate>

124

Customize FortiClient using XML settings                                        Appendix A – Deployment Scenarios

<serial_number />

<name />

<registration_password>un9r3Ak@b!e</registration_password>

<addresses>newyork.example.com</addresses>

</fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The FortiGate that is connected to is listed in the <fortigates> element. The <registration_ password> element is required if the endpoint control configuration on the FortiOS requires one. This can be exported as an encrypted file from a connected FortiClient.

The configuration provided above is not the full FortiClient configuration file. Thus, the <partial_ configuration> element is set to 1.

 

Diagnostic Tool

Diagnostic Tool

You can access the FortiClient Diagnostic Tool from the FortiClient console. Go to Help > About.

You can use the FortiClient Diagnostic tool to generate a debug report, and then provide the debug report to the FortiClient team to help with troubleshooting. For example, if you are working with customer support on a problem, you can generate a debug report, and email the report to customer support to help with troubleshooting.

To generate debug reports:

  1. Go to Help > About.
  2. Click the Generate Debug Report icon in the top-right corner. The FortiClient Diagnostic Tool dialog box is displayed.
  3. Click Run Tool.

A window is displayed the provides status information.

Diagnostic Tool

  1. (Optional) When prompted, launch and disconnect the VPN tunnels for which you want to collect information. A Diagnostic_Result file is created and displayed in a folder on the endpoint device. The default folder location is C:\Users <username>\AppData\Local\Temp\.
  2. Click Close.

IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can provision client VPN connections to FortiGate in profiles from EMS, and you can configure new connections in FortiClient console.

Add new connections

You can add new SSL VPN connections and IPsec VPN connections.

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Create SSL VPN connections

To create SSL VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select SSL-VPN, then configure the following settings:

 

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.
Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Create IPsec VPN connections

To create IPsec VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select IPsec VPN, then configure the following settings:
Connection Name   Enter a name for the connection.
Description   Enter a description for the connection. (optional)

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Phase 1 Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

Add new connections

  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer

Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
  Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
  Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
  DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add   Select the add icon to add a new connection.
Delete   Select a connection and then select the delete icon to delete a connection.

Advanced features (Microsoft Windows)

  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in EMS to ensure the FortiClient profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Activate VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
  2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 102.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

Advanced features (Microsoft Windows)

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate must use the same TCP port.

Advanced features (Mac OS X)

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient profile options in EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

 

tunnel & script

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on EMS’s XML format FortiClient profile. The profile will be pushed down to FortiClient from EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os> <script>

90

VPN tunnel & script

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/. </script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>