Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BeachBelter
New Contributor

FortiEMS VPN Tunnel "On Connect Script", is a delay needed?

We're setting up an EMS VPN Tunnel to push out a VPN profile to FortiClients.

 

In that script, we want to execute a gpupdate when the user connects to VPN. That way their GPO mapped drives will be mapped when the tunnel comes up.

 

The question: When exactly does this script run?  Immediately after attempting to bring up the tunnel?  Or only once the tunnel is successfully up and running?  We're debating adding a sleep timer to the script to wait before executing the gpupdate.  But we only want to do this IF it's necessary.  Otherwise, we'd rather remove any delays, so users can have their mapped drives ASAP after the tunnel is up.

1 Solution
BeachBelter
New Contributor

After posting, I did some testing.  I removed the timer all together, and the gpupdate seems to have worked fine without any sort of delay.

 

Not confirmed if that's just the machine checking in, or the explicit gpupdate I put into the on connect script.  I did try to set the logging to debug on the client, but it didn't output anything useful.  

View solution in original post

5 REPLIES 5
Mohamed_Gaber
Contributor

"When exactly does this script run?"

As the detailes in the link below; "After the endpoints' FortiClient connects Zero Trust Telemetry to FortiClient EMS, EMS manages the endpoints, and you can use FortiClient EMS to push configuration information to FortiClient software on endpoints.".

 

https://docs.fortinet.com/document/forticlient/6.4.7/ems-administration-guide/807105/pushing-configu...

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
mwissa
Staff
Staff

Have you tried the on_connect attribute?

You can add a sleep timer to the bat file

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Auto-running-script-when-connected-to-VP...

Mohamed_Gaber
Contributor

I did not try it. But the timer is logical for some reason. If the VPN runs while the user login to windows, it will take time for the OS to be ready. Even in normal cases, it takes a time after the VPN is up to be able to access the network.

In the load balancer, there are two timers. One is to not send sessions to the server when it comes on to give the OS time to start and become stable. The other is a period during which it sends a small rate of sessions to warm up. I found them, the intelligence of the designer.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
BeachBelter
New Contributor

After posting, I did some testing.  I removed the timer all together, and the gpupdate seems to have worked fine without any sort of delay.

 

Not confirmed if that's just the machine checking in, or the explicit gpupdate I put into the on connect script.  I did try to set the logging to debug on the client, but it didn't output anything useful.  

Mohamed_Gaber
Contributor

I was waiting for this test. You have two choices. Keep it so until there is a reported case. Or add the timer since it is added as an option for a reason. My choice is not to touch a working thing and keep it as it is. 

Good luck and thanks for sharing your experience.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Labels
Top Kudoed Authors