FCT-5.0.9 Custom installer

Camshaft007 · ‎06-07-2014

I' ve been trying to use the " FCT-Configurator Tool" (FCT-CFT for short) to build a custom installer for days now, but the FCT-CFT does not use my custom.config file when creating the FortiClient.MSI for Manual Distribution.

Steps: 1. Launch FCT-CFT 2. Load License File 3. Load Custom.config file 4. Select " Everything" (I only need VPN and Application Firewall) and allow updates 5. FCT-CFT builds the .MSI' s However when I launch the FortiClient.MSI installer; NONE of the configuration parameters I' ve put in the Custom.config file have been enabled... Grr this makes me a sad Panda!

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

Chris_Lin_FTNT · ‎06-09-2014

Have you checked your custom.config before using it with FCT-CFT? E.g., restore it to a FortiClient and back again, to see if they are the same? Or you can share your custom.config, or send to forticlient-feedback@fortinet.com for Fortinet to take a look.

Camshaft007 · ‎06-10-2014

Ahh.. yes I did that actually and probably should have mentioned that.. (Downloaded the FCT-CFT via my subscription creds.. v.5.0.9 zip package) 1. Installed Full FCT on my Test system 2. Configured FCT the way want it for end users (I could disable AV/Web but not the TABS) 3. Created Backup.config file to use as template for FCT-CFT 4. Uninstalled FCT fully with Revo-uninstaller which cleaned up the mess after FCT was removed. 5. Customized the .config file created via backup in step .3 6. Launched FCT-CFT used my license file, used my Backup.config file, chose " Everything" , " no updates" . 7. .MSI install file was created. 8. Launched said .MSI file, FCT (v5.0.9) installs with the VPN Configured

, NO Application Firewall Tab

, Tabs for A/V and Webfilter still visible

... So I guess this means... I' m making progress? LOL.. Just frustrated at this point, I might just force users to use the Tunnel Widget via the SSLVPN portal instead.

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

Chris_Lin_FTNT · ‎06-12-2014

What I meant was, after step 5, was that config tested (e.g. restore it on a FortiClient), to see if it provides what you wanted? Before FortiClient is registered to FortiGate, it' s not expected to show App FW (or have the App FW function).

stukat · ‎06-11-2014

I have the same issue. We got around it by adding a registry key so that the Forticlient automatically registers to the FortiGate. Then we used the advanced config option on our FortiGate to specify all the settings we required. FYI, bug in 5.0.9.347 prevents scripting when VPN is connected.

Camshaft007 · ‎06-11-2014

Yea, my goal was to have a client that only had App.FW and VPN enabled from start, automatically(silently) register the client to the FGT, and disable the forticlient settings. I' m about 3/4 complete, but EVERY DAMN time you install the " Custom" Forticlient .MSI" the FortiClient updates it' s signatures and disables Windows Defender. I cannot have this happen with my remote/home users, else I will lose my mind!!

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

Chris_Lin_FTNT · ‎06-12-2014

I agree with stukat. Because your FortiClient will eventually register to a FortiGate and get the config, even if you want to create a custom installer MSI, you don' t need to config it in every detail.

Camshaft007 · ‎06-20-2014

Obviously my email notifications are not working... I will go over your posts and reply back with my findings in the AM.. I had no idea this thread was active until I signed on tonight.

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

stukat · ‎06-12-2014

Don' t install a custom client. Install the base client. Then customize the script in the Fortigate itself using the advanced endpoint configuration. This way when it updates the config on the client you get exactly what you want. Finally got mine working. Last good release of the client (if you want to map drives) is 5.0.7.333 Part of my config...... FortiClient Configuration Deployment -------------------------------------------------------------------------------- Windows and Mac FortiClient configuration (XML format) entered below will be pushed to connecting clients. <?xml version=" 1.0" encoding=" UTF-8" ?> <forticlient_configuration> <forticlient_version>5.0.7.333</forticlient_version> <version>5.0</version> <date>2014/06/09</date> <partial_configuration>0</partial_configuration> <os_version>windows</os_version> <system> <ui> <ads>0</ads> <default_tab>VPN</default_tab> <flashing_system_tray_icon>1</flashing_system_tray_icon> <hide_system_tray_icon>0</hide_system_tray_icon> <suppress_admin_prompt>0</suppress_admin_prompt> <password /> <culture_code>os-default</culture_code> <gpu_rendering>0</gpu_rendering> </ui> <log_settings>

stukat · ‎06-12-2014

Forgot to mention that we needed to add a registry key prior to installing the client. This allows the silent registration. Key is [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FortiClient\FA_ESNAC] Manually register one client, export the key and then remove the user identifiable information. Take this revised key and install it on all clients. The FGPingServer & CustomFCCKPingServer are FQDN' s so that they can be reached internally and externally.