Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MaxiKolu1
New Contributor II

Created on ‎11-21-2018 07:58 AM

unattened upgrade of DC Agents

Hello,

 Before we start a little disclaimer: this is posted as-is, it's not something I did using Fortinet's official documentation (AFAIK, there isn't any about the DC Agent installer), nor supported by Fortinet. Use at your own risk.

 This was tested on a lab environment with Windows Server 2016 and FSSO 5.0.0254.

 In a few days, I have to upgrade a customer's FSSO infrastructure and found that there's no method for upgrading the DC Agents on the domain controllers. I can uninstall/reinstall using the collector, or upgrade via RDP/console using manual installation.

 It wouldn't be a problem, but they have 31 DCs...

 So, reading some stuff about MSI files, checking installation logs, and some inspection using lessmsi I managed to do an unattended upgrade.

Hands to work:

What we need


  • sysinternal's psexec.
  • the DC Agent installer found in Fortinet's support website, the EXE version, the MSI won't work (and I didn't have the time to figure out why).
  • domain admin logged in a computer that's a member of the domain. (you can do this with a computer that is not member of the domain, using "NET USE", but I won't cover this here).
  • upgrade the collector first.

Extract the MSI file


  • run the DC agent installer, up to the Fortinet Single Sign On DC Agent vX.X.XXX Setup screen, and don't go further.
  • go to the temp folder (Windows + R, "%temp%" will do the trick) and locate a folder with a GUID-like name, look for the dcagentsetup.msi -or dcagentsetup64.msi- and copy that file to a location reachable by the DC you're going to upgrade (I'd suggest a network share, but you can copy it to each DC's C$ admin share). note that you can save this installer for other customers too, what we did here is just extract the .MSI inside the setup file.
  • abort the installation.

For each DC

  • run the command "psexec \\DC-s msiexec /i \\SERVER\SHARE\dcagentsetup64.msi /qn /forcerestart REINSTALL=ALL REINSTALLMODE=vomus"
  • after a while, you'll see this "error" message "msiexec exited on DC with error code 1641", code 1641 is "ERROR_SUCCESS_REBOOT_INITIATED"
  • once rebooted, the DC agent upgrade is completed.

 I've tested it in a lab with Windows Server 2016 and FSSO 5.0.0.254, upgrading to 5.0.0271. It worked, and it mantained the settings (CA list, ignore list, etc.) after the upgrade.

Tips


  • This can be used for the initial install of the DC Agents, it's kinda usesless because the Collector doest this for you but, just in case, you can add COLLECTORAGENTLIST="COL_1;COL_2;COL_N" IGNORELIST="IGNORE_1;IGNORE_2;IGNORE_N" to the command line and it will create -or overwrite- the configuration.
  • If you're feeling really lucky -or willing to play the russian roulette ;) -, you may pass a DC list to psexec using @, more info at: https://community.spiceworks.com/how_to/1812-deploy-msi-files-using-psexec.

 It's possible that we can further optimize this process, suggestions are welcome :)

HTH.

------------------------------
Maximiliano Kolus
Rosario, Santa Fe, Argentina
------------------------------
Maximiliano Kolus
Maximiliano Kolus
1157
0 Kudos
3 REPLIES 3
AttiT_th
New Contributor

Created on ‎11-22-2018 12:15 AM

Hello,
Very nice article.

What we are doing is:
1. Backup all the FSSO Collector Agnets configuration (we usually have 2 of them)
2. Updtate all the FSSO Collector Agents.
3. In the menu Start -> Fortinet select Uninstall DC Agent. Do not confirm the reboot.
4. In the menu Start -> Fortinet select Install DC Agent. Confirm the reboot. (Reboot the FSSO CA servers also.)
5. After the reboot backup all the FSSO Collector Agnets configuration. Check the FSSO CA and DC Agent versions in the configuration file.

These steps has been working untill now for us.

------------------------------
AtiT
------------------------------
AtiT
AtiT
1138
0 Kudos
mikebutash
New Contributor II

Created on ‎11-22-2018 12:37 PM

Interesting that this is so convoluted to maintain, as deployment is often not concerned with long-term operation, and I can't speak to needing to do so personally.  Installing the collector does a good job of installing the DC Agents, sad it can't seem to maintain them with an upgrade from the same initial client setup methodology to push updates to dc agents and reboot.

It would be nice if Fortinet could describe better, or extend their operation to also deploy/update new dc agents when the need arises based on how they deploy today.  Net-new installs go nicely, upgrades should be possible as well with new versions.

------------------------------
-mb
------------------------------
-mb
-mb
1138
0 Kudos
MaxiKolu1
New Contributor II
In response to mikebutash

Created on ‎11-23-2018 06:28 AM


 I tought the same thing.

 In theory, this very process can be fired from the Collector Agent: it's just like the install, but with different parameters.

------------------------------
Maximiliano Kolus
Rosario, Santa Fe, Argentina
------------------------------
Maximiliano Kolus
Maximiliano Kolus
1138
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Related Posts
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.