Forticlient (free) enterprise distribution - SCCM

TR · ‎04-16-2021

Has anyone gone thorugh the exercise of bundling the free Forticlient (6.0.x) MSI into a package for mass distribution throughout their enterprise via SCCM? Any pointers, suggestions, gotchas that you ran into that you're willing to share?

We're also trying to figure out how to bundle/pre-package our default Forticlient settings (Connection name, Remote Gateway URL, etc.) into the package - any recommendations on the good way to insert this into the package would be appreciated.

Thanks,

T.

AlexBeaudet · ‎04-30-2021

No problem here it is .

[ol]

Important to get the "offline installer" for the Free VPN because it then can be uninstalled by the user without any fuss.

Configure the client the way you want it and then export the XML.

We made a wrapper in c# that is a single click app which does the following:[ol]

The wrapper includes the MSI and XML files needed for installation and extracts them in a temp folder.

Then we use Powershell to install the MSI silently and import the config file with FCConfig.exe

After that we clean up the MSI and XML files and prompt for a reboot if needed. [/ol][/ol]

Here is the Powershell code for the installation itself :

Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/i c:\blablabla\FortiClientVPN.msi /passive /norestart /quiet INSTALLLEVEL=3 DESKTOPSHORTCUT=1" -wait
Start-Process "C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -ArgumentList "-m vpn -f c:\blablabla\config.xml -o import -p YourPassWordForEncryptionIfNeeded" -wait

We had test users running 6.0.10 FortiClient and, at first, this app uninstalled that version (without rebooting) and installed 6.4.3 on top. We had corruption issues on most use cases where the FortiClient was behaving weirdly or not working at all. Clean uninstall and reinstall settled it.

Hope this helps!

View solution in original post

gecko · ‎04-23-2021

Hi!

for enterprise distribution you must use the ForticlientEMS.

There is no official way to create bundles with VPN Configutration.

You can create backups in the FortiClient and restore them to new installations, but you have to do this manually in the GUI.

Best regards

Heino

AlexBeaudet · ‎04-29-2021

We are starting to toy with our new EMS console and licences. But we also will be bundling the Free client for BYOD devices for tele-workers and students of our university.

All PCs on our domain (employees) will receive the FortiClientEMS via GPO and everyone else will download a small app we made that installs the Free offline client and then imports an XML config file.

If we didn't have EMS licences we would definately be using our same GPO technique to install the free client on PCs in the domain. I can share specifics if need be!

dbriden · ‎04-30-2021

Hi AlexBeaudet

We don't have EMS licencing and are looking at deploying forticlient and then installing the config from XML using the fcconfig.exe command. I would be interested in hearing your experiences/learning how you cope with the installation of the free client and then importing the XML config file just to see/learn from other people's experiences so if you could share specifics I would be grateful.

AlexBeaudet · ‎04-30-2021

No problem here it is .

[ol]

Important to get the "offline installer" for the Free VPN because it then can be uninstalled by the user without any fuss.

Configure the client the way you want it and then export the XML.

We made a wrapper in c# that is a single click app which does the following:[ol]

The wrapper includes the MSI and XML files needed for installation and extracts them in a temp folder.

Then we use Powershell to install the MSI silently and import the config file with FCConfig.exe

After that we clean up the MSI and XML files and prompt for a reboot if needed. [/ol][/ol]

Here is the Powershell code for the installation itself :

Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/i c:\blablabla\FortiClientVPN.msi /passive /norestart /quiet INSTALLLEVEL=3 DESKTOPSHORTCUT=1" -wait
Start-Process "C:\Program Files\Fortinet\FortiClient\FCConfig.exe" -ArgumentList "-m vpn -f c:\blablabla\config.xml -o import -p YourPassWordForEncryptionIfNeeded" -wait

We had test users running 6.0.10 FortiClient and, at first, this app uninstalled that version (without rebooting) and installed 6.4.3 on top. We had corruption issues on most use cases where the FortiClient was behaving weirdly or not working at all. Clean uninstall and reinstall settled it.

Hope this helps!

dbriden · ‎04-30-2021

Many thanks for the information

AlexBeaudet · ‎04-30-2021

My pleasure!

edd080 · ‎04-28-2022

Thank you for your above post I was searching for such a solution, in my case I am upgrading users from ver 6.xx to 7.xx, would the above powershell code avoid the issues you mentioned in your last paragraph?

I was facing some issues where the VPN would get upgraded and when the user tries to connect the software reaches 98% and no connection is done; it simply resets the credentials field as if the user never tried to log in. I ended up having to uninstall, reboot and install the updated version from scratch.

Thanks.

kaschumm · ‎06-04-2021

I extract the MSI from the EXE and then use the PowerShell App Deploy Toolkit. Then in the Post Installation section I use FCConfig.exe to import the config file I backed up previously.

Helpful links:

FortiClient VPN Silent Install (How-To Guide) – Silent Install HQ

This is for version 7, but you can adapt it for other versions. There's a link on this page that has the Powershell script they're using.

FCConfig.exe info for backing up and restoring the config:

XML Reference Guide | FortiClient 6.0.10 | Fortinet Documentation Library

In the Post-Installation section I add this line to import the config (I believe it requires a logged in user as I've had hit and miss results):

Execute-Process -Path 'C:\Program Files\Fortinet\FortiClient\FCConfig.exe' -Parameters "-m all -f $dirFiles\FortiClientSettings.conf -o import -i 1"