Skip to main content
SteveRoadWarrior
SteveRoadWarrior
New Member
October 16, 2017
Question

Suggestions for FortiClient EMS rollout via Group Policy (MSI file, not EXE required)

  • October 16, 2017
  • 1 reply
  • 7819 views

Any suggestions on where to look in the documentation for setup instructions on EMS client rollout via MSI.

 

I've used the FortiClientConfigurationTool but it doesn't allow for inserting the URI of the EMS server.

 

Tried exporting the EMS profile XML file and renaming it *.config, that that didn't make a difference.

 

Deploying EXE files is not an option, users don't have local admin rights.  The EMS server is not on the same private IP scheme as the clients, so push is not an option.  MSI is the best way in this case.

 

Deploying the MSI from the Fortinet downloads area only installs SSLVPN+IPSEC VPN, which is smart.

Deploying the MSI from the FortiClient Configuration Tool installs all components, but they can't seem to point to the EMS server.

 

I've located the EMS server in the registry, but am not sure this is a supported config method:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FortiClient\FA_ESNAC\FGPingServer (REG_SZ)

 

Any help or tips would be appreciated.  I'll even take .exe deployment via command line options in case that turns out to be the only way.

 

In the meantime, I opened a ticket asking for access to the "FortiClientConfigurationTool_5.6.0.1075.zip" which is supposed to be in the downloads area but is not.  I say supposed to be because it's listed in the "Readme_1st.txt" file.

    1 reply

    SteveRoadWarrior
    SteveRoadWarriorAuthor
    New Member
    October 16, 2017

    I'm told the new FortiClient configurator will do it: http://docs.fortinet.com/d/forticlient-configurator-tool

    But we need a Fortinet Developer account to access the program.

    SteveRoadWarrior
    SteveRoadWarriorAuthor
    New Member
    October 17, 2017

    The new FortiClent configurator will do it.

     

    EMS deployment directions:

    1) log into EMS console.  make a "Forticlient telemetry gateway IP list" (lower left corner)

    2) once done with the telemetry IP list, you'll be given the option to export to XML (next to the save button)

    3) on the first page of the FortiClient configurator wizard, two options are available to add XML files.  Choose the lower one of the two and give it the XML file you just generated.

    4) choose the options you want for deployment.  We went full boat.

    5) copy those MSI files to a sharepoint on your network which is accessible to workstations and users (very important).  Cheating, I know, I used the \\domaincontroller\netlogon share and made a subfolder for "apps"

    6) open the AD Group Policy program and make a new policy on the appropriate OU containing the workstations.  The default "computer" OU cannot be used.  You must move them to a new OU.  That's a good thing, by the way.

    7) edit the policy -> go to (top half) computer-> software -> software.  Right click and choose NEW to add a new software package.

    7a.) choose ADVANCED (not assigned)

    7b.) locate the MSI for the x32 or x64 version of the client

    7c.) BEFORE CLICKING OK, go to the modifications tab and click the "add" button

    7d.) drill down to the MST file (transform) which was generated by the FortiClient configurator and is in the same folder as the MSI file

    7e.) click ok.  Now you can click ok to add the program to your group policy.

    8) on a workstation, save all work, close all programs and run: gpupdate /force /boot

     

    Hope that helps someone else.

     

    Terms & ConditionsAccessibility statement