I screwed up.
I deployed my FortiClients without specifying that a password be required for registration. Shortly thereafter, a consultant came on site and had their FortiClient software register to our FortiGate. I'd like to avoid having this happen again and it seems the surest way of doing this is requiring a password to register.
So I added a password to the FortiGate in the System > Config > Advanced > FortiClient Endpoint Registration section. I adjusted my Advanced FortiClient Profile to include a value (the same as specified in the Advanced Config section) in the <registration_password> tag and repackaged my base install to also include the proper <registration_password> tag (for new installations). For each XML file, I backed up the configuration file using FortiClient on my workstation so I would not have any clear text passwords in my published configs and applied the updated XML content with encrypted passwords to both my FortiClient profile on the FortiGate and to the deployment bundle created with FortiClient Configurator (for future deployments).
Seemed like a simple fix, however, when I boot and log onto on a system that already has the FortiClient software installed and registered with my FortiGate, I am greeted with a dialog box prompting me for a registration password. Interestingly, if I merely click Accept (without entering a password) the client appears to remain registered (the shield in the system tray never deviates from a happy green icon), a check of the FortiClient Monitor on the FortiGate, however, shows the client is now in an unregistered state. If I click cancel, the client is unregistered. This is a problem because I do not wish for my end users to ever have a chance to unregister the client (unregister is not disabled, but it does require a password so IT staff can disable FortiClient if needed for troubleshooting).
I've tried simplifying the process by using clear text passwords in the XML config files and have tried allowing the FortiClient profiles with the registration_password to propagate to a client prior to enabling the password reqirement in the System > Config > Advanced > FortiClient Endpoint Registration section, but was rewarded only with further frusteration.
An excerpt of my profile config file:
<endpoint_control> <enabled>1</enabled> <socket_connect_timeouts>1:5</socket_connect_timeouts> <custom_ping_server /> <system_data>Enc blahblahblahblah</system_data> <disable_unregister>0</disable_unregister> <show_bubble_notifications>1</show_bubble_notifications> <silent_registration>1</silent_registration> <ui> <display_antivirus>1</display_antivirus> <display_webfilter>1</display_webfilter> <display_firewall>1</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>0</display_vulnerability_scan> <registration_dialog> <show_profile_details>0</show_profile_details> </registration_dialog> </ui> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <fortigates> <fortigate> <serial_number>FG200D123456789</serial_number> <name>TR-FG200D-01</name> <registration_password>Enc yaddayaddayadda</registration_password> <addresses>10.10.0.100:8010;192.168.163.1:8010;vpn.ofmy.net:8010</addresses> </fortigate> </fortigates> </endpoint_control>
Any guidance on how I can add a password for FortiClient registrations as transparently as possible?
Thanks,
Stan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Support case logged - Ticket # 1446041.
One week on, the support engineer assigned to my case persists in asking that I enable a registration key on the FortiGate. My initial ticket problem description (same the text in the original post above) indicates this has already been done (and is, in fact, the point at which the issue described begins).
I performed the steps he asked be performed and indicated the problem persists. He has again asked that I perform the same steps.
I've called in and asked to have the case escalated and the person with whom I spoke offered no assistance other than to have the engineer assigned call me (which he didn't do prior to repeating his low value instructions).
I have asked for a second time in my case response that the case be escalated. I also requested having the case reassigned.
*edit*
I called in again and had the case reassigned.
Stan
Two things to check:
[ul]Also, if you run the newly repackaged installer, does it register to the FortiGate successfully and silently?
Exporting the profile (utilizing the Backup function within Settings) does show that it has registration_password set.
The three IP addresses in the fortigate element correspond to three different interfaces on the same FortiGate unit (Wired LAN, Wireless LAN and SSL VPN).
Running the newly repackaged installer on a system without FortiClient installed does result in the system registering with the FortiGate successfully and silently. Unfortunately, running a repair operation using the newly repackaged installer does not change the behavior on clients where the installed FortiGate software was previously registered.
Uninstalling the FortiClient software and then reinstalling with the newly repackaged installer does result in successful silent registration. I've got a Group Policy configured to do just this, but have not yet enabled it as this seems like somewhat drastic means to an end (and provides a window for end-users to adjust settings as the uninstall password must be disabled to allow the uninstall). Should I ever wish/need to change the registration password, this current implementation would mean a full uninstall/reinstall of all clients (including the window of opportunity for users to disable protection) and I doubt this is intended behavior.
One last check:
Try deregister the client from the FortiGate. You may use the FortiOS GUI or CLI (diagnose endpoint registration deregister). Ensure that the client has the new <fortigate> element with password before deregistering it. Then restart the computer system.
If this does not resolve it, then, I guess you need at least one manual step on each registered client:
[ul]Kassim:
Thank you for trying to help. Unfortunately, deregistering a client on the FortiGate prior to enabling the registration key requirement had no effect on the client prompting for a Registration Key on the next boot/logon in spite of having the registration password defined in the last profile received by the client.
I will continue to pursue the case with support through conclusion. I hope to have the ability to add/change the registration key added as a feature improvement as this really seems like something that should be practical to do without having to touch each individual endpoint or uninstalling/reinstalling the FortiClient software.
The support tech now assigned to the case seems engaged and I am hopeful we can at least get this issue addressed in a future version.
Sincerely,
Stan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.