Hi everyone
I spend most of the day setting up a Fortigate 60D with SSLVPN configuration. I am using the FortiClient 5.2.3.0633 and Fortigate firmware is 5.2.2,build642 (GA).
The PC I use is a Windows 7 and is not domain joined.
I want to map four network drives when connected to the SSLVPN. When I connect to the SSLVPN from my PC on a external network I get authenticated and the correct IP and DNS settings, even the correct DNS-suffix is pushed out through the tunnel. I am able to ping file server and I am also able to access the directory I want to map by using the UNC path which is the same as I want to map by the script. So everything is in place, but the logonscript in the FortiClient configuration. My XML file looks like this:
<on_connect> <script> <os>windows</os> <script> <![CDATA[ net use S: \\SERVER\SHARENAME /user:#username#@domain.local #password# net use P: \\SERVER\SHARENAME /user:#username#@domain.local #password# net use V: \\SERVER\SHARENAME /user:#username#@domain.local #password# net use N: \\SERVER\SHARENAME /user:#username#@domain.local #password# ]]> </script> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script> <![CDATA[ net use P: /delete /yes net use S: /delete /yes net use V: /delete /yes net use N: /delete /yes ]]> </script> </script> </on_disconnect>
The funny part is that the first net use command runs perfectly and maps the S: drive, but none of the other drives gets mapped when I connect to the SSLVPN. After I have connected and the S: drive is mapped correctly I can without entering the domain credentials map the other drives (P:, V: and N:) after I logon on. and they all gets deleted when I disconnect as stated under the <on_disconnect>.
Could anyone please help me? Is it the right syntax I am using? Do I need to change anything in my configuration? I would love a way to automatically map ALL of the drives when I logon to the SSLVPN.
Thanks in advance
Regards inuit
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi everyone!
Based on your information sbuerger I managed to solved the problem. I used the troubleshooting method you explained with ProcessMonitor, ProcessExplorer and Winlister and saw exactly the same as you.
The PC not domain joined and therefore I cannot put the script in the NETLOGON folder since the PC cannot access it based on the fact that it hasn't the correct permissions. But I did manage to solve this issue. I used the following syntax and now the drives maps every single time.
<on_connect> <script> <os>windows</os> <script> <![CDATA[ net use S: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use P: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use V: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use N: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# ]]> </script> </script> </on_connect>
By using the && it takes all the commands and put them on a string and then it runs them after each other. Now the FortiClient reads all the commands as one line, one command and not four single commands like before. On disconnect I did the same thing:
<on_disconnect> <script> <os>windows</os> <script> <![CDATA[ net use P: /delete /yes && net use S: /delete /yes && net use V: /delete /yes && net use N: /delete /yes ]]> </script> </script> </on_disconnect>
Again thank you so much for your help and time sbuerger!! This really made my day, now I am able to sleep again ;)
Regards inuit
Sorry, but your network may be too slow. :)
We are currently implementing ssl vpn too. Today we are exactly at the same steps with seeing really weird behaviour.
Sometimes all the script entries are executed, sometimes not all. Same client version and same firmware on the fortigate.
After hours of troubleshooting we found the problem. It is a design failure in the Forticlient.
The Forticlient gets the commands from the Fortigate. When the connection is established, the process "fortitray.exe" creates one batch file called fcts.cmd in the users temp folder %temp% and executes it in a hidden cmd process. The commands you add in the xml are all in this fcts.cmd.
For security reasons (obviously) it removes the fcts.cmd after a short time. If not all commands in the batch file are executed yet, they will not executed anymore. That is the case, since batch files under DOS existed. So if the first net use needs some time, it is the only net use that is executed...
For us sometimes 2, sometimes all 3 net use commands where executed, sometimes none...
Workaround: put the commands in a batchfile and put the batchfile on your server, for example the netlogon directory on your domain controllers. Then just execute the batchfile through the xml. Now it is only one command in the fcts.cmd and that is executed before they remove the fcts.cmd.
You'll miss the #username# and #password# function, that could be an issue for you. All our users are logging on locally with their domain credentials and till now we did not see an issue with using the net use commands without username/password.
For now we are using stuff like:
net use q: \\server\share /persistent:no
net use z: \\server\home\%username% /persistent:no
I hope we don't run into much issues when the users domain password need to be changed and he do this offline through OWA or Terminalserver. Then his local credentials may not match his domain credentials.
For the troubleshooting we used Sysinternals Process Explorer, Process Monitor; Nirsofts WinLister (where you can "unhide" the cmd) and a Deny Delete Permission on the test users temp folder. :)
btw, the #password# variable in the xml put the user password in the fcts.cmd on the hard drive. I did not test if they actually safe delete the cmd file or if you can recover the file and withit the password through tools like "Recuva".
I love trouble shooting. But we should get payed by the manufactures for failures like this...
---edit
Of course you can still use the #username# and #password# variable:
In the xml use something like "\\domain.com\netlogon\logonvpn.cmd #username# #password#"
In the cmd you can use %1 for the username and %2 for the password...
Not sure if you are aware but a windows 8.1 pro client does not need to be domain joined in order to have access to workfolders.
https://technet.microsoft.com/en-us/windows/dn140266.aspx
Doesn't help for Windows 7 but ....
Good luck
Hi everyone!
Based on your information sbuerger I managed to solved the problem. I used the troubleshooting method you explained with ProcessMonitor, ProcessExplorer and Winlister and saw exactly the same as you.
The PC not domain joined and therefore I cannot put the script in the NETLOGON folder since the PC cannot access it based on the fact that it hasn't the correct permissions. But I did manage to solve this issue. I used the following syntax and now the drives maps every single time.
<on_connect> <script> <os>windows</os> <script> <![CDATA[ net use S: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use P: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use V: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# && net use N: \\SERVER\SHARENAME /user:DOMAIN\#username# #password# ]]> </script> </script> </on_connect>
By using the && it takes all the commands and put them on a string and then it runs them after each other. Now the FortiClient reads all the commands as one line, one command and not four single commands like before. On disconnect I did the same thing:
<on_disconnect> <script> <os>windows</os> <script> <![CDATA[ net use P: /delete /yes && net use S: /delete /yes && net use V: /delete /yes && net use N: /delete /yes ]]> </script> </script> </on_disconnect>
Again thank you so much for your help and time sbuerger!! This really made my day, now I am able to sleep again ;)
Regards inuit
A colleague found that && means that the second command runs only when the first command returns with error level 0.
If you want to run them regardless of the error level of the command before a single & is used.
https://support.microsoft.com/en-us/kb/279253
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.