Technical Tip: How to enable workstation DNS registration through an SSL VPN tunnel
Description
To enable DNS registration option for SSL VPN clients when the FortiClient participates in FSSO, special steps must be followed.
Specifically, there is an additional registry value which needs to be changed.
Complete the Following Steps:
- Enable DNS registration under Network properties:
The same result can be achieved by modifying the <no_dns_registration>0</no_dns_registration> parameter on an xml file.The three possible states:
- 0: FortiClient will try to register all NIC addresses in DNS (default parameter).
- 1: FortiClient will not register any IP.
- 2: FortiClient will try to register only the SSL VPN tunnel IP in DNS.
- If FortiClient version is 5.2.1 or earlier or if FortiClient is unmanageable.
Note: All steps have to be applied under the workstation administrator account.- Run shutdown forticlient.
- Run net stop fortishield.
- Start the CMD with administrator privileges and add following registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FortiClient\Sslvpn]
"WinDnsCacheService"=dword:00000003
- Run net start fortishield.
- Run start forticlient.
- Alternatively, if the FortiClient is manageable by FortiGate and the FortiClient version is 5.2.2 or above, all steps from 2 can be automated by adding the following XML into the FortiClient's configuration XML script.
<dnscache_service_control>3</dnscache_service_control>
For example:
<?xml version="1.0" encoding="UTF-8" ?>
<forticlient_configuration>
<partial_configuration>1</partial_configuration>
<os_version>windows</os_version>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>3</dnscache_service_control>
<!--0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange-->
</options>
</sslvpn>
</vpn>
</forticlient_configuration>