HOWTO: Custom Unattended FortiClient Install

Report Inappropriate Content · ‎01-31-2005

#################### PLEASE NOTE - The instructions below were developed for FortiClient 1.2 MR2. As of FortiClient 1.2 MR3, the FortiClient Release Notes contain the best information for creating a custom unattended installation. Please use that as your guide. You can find the release notes at http://kc.forticare.com/. The information below is obsolete. #################### The following series of post will show you how you can put together a custom unattended setup of the FortiClient VPN software. Goals:[ul]

Unattended Install

Deselection of unnecessary components (the Firewall and Anti-Virus components in this case)

Include FortiClient license key

Include VPN tunnel information[/ul] For this task you will need the following:[ul]

FortiClientSetup_1.2.172.zip or the latest FortiClient from the support website.

MaSaI Editor from http://www.masaieditor.com (thanks UKWizard

)[/ul] * Note: If all you want is an unattended installation with the Firewall and Anti-Virus components deselected, you can download a pre-edited 1033.mst file attached to this post. ** Note: These instructions were developed using FortiClient 1.2 build 172 and MaSaI Editor 1.8.1654.0. The instructions may not work if any other versions are used. Ok, let' s get started! When unzipping the client, you may have noticed that it contains 3 files.

 12/15/2004  03:35 PM             3,584 1033.mst
 12/15/2004  03:35 PM            34,304 2052.mst
 12/15/2004  03:35 PM        12,220,928 FortiClient.msi
                3 File(s)     12,258,816 bytes

Briefly, the FortiClient.msi file is the main installation file. The other two .mst files are language oriented transform files. Region code 1033 is English. Region code 2052 is Simplified Chinese. For purposes of this HowTo, we will only be using the 1033.mst file. The file 2052.mst can be deleted or ignored. After you have downloaded and installed the MaSaI Editor, you may notice that it starts in " Trial" mode. The editor gives you full functionality for 20 days before it turns into the " Free" edition. The downside of this period of full functionality is that it adds a pop-up window during the install of each saved project stating that the project was edited and saved using the trial MaSaI Editor. The Free version gives very limited functionality, but does not add the annoying prompt into your projects. Since we only need the limited functionality provided by the Free version for this project (and we do not want the annoying pop-up window displayed to our easily confused users), we will abort the trial period and convert the Editor into the Free version. STEP 1 - Aborting the MaSaI Editor Trial Period Open the MaSaI Editor. On the title bar, it will state " MaSaI Editor Trial" . Go to Help then Enter Update Serial Number..., and enter anything you wish. After clicking Ok, the program will report that the serial number is invalid. Simply click Ok to dismiss the error message and you should notice that the window title bar has changed to just " MaSaI Editor" . You are now working in the limited Free mode. If this doesn' t work for you, try closing the editor and re-opening it again.

Report Inappropriate Content · ‎01-31-2005

STEP 2 - Open the MST for Editing Open the 1033.mst file in the editor using File then Open. Once you have selected the file, it will prompt you to apply it to an MSI file. You will want to apply it to the FortiClient.msi file. STEP 3a - Remove the Firewall and Anti-Virus Components Once you have opened the .mst file, you will have 3 tabs across the top. The first and second tabs are available in the Free Editor. Clicking on the " Recycle Bin" tab will result in a message prompting you to purchase the product if you wish to use that feature. That' s fine because everything we need is in first two tabs. In the " All Tables" tab, select " Feature" . This will bring up a table view of all the available features. You can disable the Firewall and Anti-Virus features by changing the " FW" , " AV" , " Drivers_AV" , " Drivers_FW" , " REGISTRY_AV" , and " REGISTRY_FW" Feature(s) to have a Level of " 101" and Attributes of " 0" . See the screenshot below for an example.

Report Inappropriate Content · ‎01-31-2005

STEP 3b - Remove the Firewall and Anti-Virus Components Next, scroll down and select " Property" from the list of tables. Here, you will want to change the " AgreeToLicense" Property to " Yes" and the " _IsSetupTypeMin" Property to " Custom" . See the following screenshot for further clarification.

Report Inappropriate Content · ‎01-31-2005

STEP 4a - Adding in additional items Since we have the transform file open for editing, let' s add some other things into the file that will make the FortiClient rollout even more automated: like a tunnel configuration and the FortiClient license key. The easiest way to do this is to switch to the " IQ Views" tab in the MaSaI Editor. From there, you can simply click on " Registry" on the left hand column to display your local registry (on the top) and the registry entries that will be made by installing the FortiClient with this transform file (on the bottom). If you have the FortiClient installed on the machine you are running the editor from, you can simply drag entries from the top section to the bottom. This is not the case for me, so I will show you how to add them another way. Unfortunately, to add the FortiClient license key you cannot simply create the value and assign your key to it. Your key must be converted into a binary/hex format first. So, the easiest way to insert your key is to export it from a machine that has the FortiClient already registered. Simply, run regedit on that computer, open up the HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient key, right click on it and export the information to a file. When you open this file, you will find all the values saved in the entire FortiClient key tree. Near the top you should find a binary/hex value called " serial_number" . This is your license key converted into binary/hex. Once you locate it, you can simply delete the rest and end up with a file that contains only the information shown below:

Windows Registry Editor Version 5.00
 
 [HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient]
 " serial_number" =hex:12,34,56,78,9a,bc,de,f0,12,34,56,78,9a,01,23,45,67

* The example above does not contain a valid key. Once you have this information in a .reg file, you can import it into the MaSaI Editor using the " Import" button. It will show up on the bottom portion of the screen in the location that it existed on the PC that you exported it from. There is one more thing we need to change before it will work. Browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient key. Double click on the " serial_number" value to open it' s properties. You' ll want to change the component box to " ISRegistryComponent" or it will not be used during the install, even though it has been defined. See the screenshot below for an example of what things should look like.

Report Inappropriate Content · ‎01-31-2005

STEP 4b - Adding in additional items Now it' s time to add in the tunnel config. All you need for this is to export a tunnel configuration file from an existing FortiClient installation. The file you export will be named with a .vpl extension by default. You can simply rename the file to a .reg extension and treat the file as you would any other registry export file. Going back to the same spot in the MaSaI Editor where we left it in step 4a, we can add our tunnel configuration by importing the .reg file that we created above. That' s all there is to it. You should be able to expand the tree to find a new " IPSec" key. Underneath that key should be a " Tunnels" key and under that, the configuration for the tunnel that you imported. When you imported the configuration, all the values were assigned a " Component" of " Registry" . We could go to each value and assign the component to " ISRegistryComponent" like we did to the " serial_number" value we added above, but that is too much work. Instead, go back to the " All Tables" tab in the MaSaI Editor and click on " FeatureComponents" . You will notice at the bottom of this table that there is a Component_ of " Registry" assigned to the Feature_ of " FW" . Since we deselected the Firewall (FW) feature previously, none of the components assigned to that feature will be installed including our new imported tunnel entries. So, we can simply change the Feature_ from " FW" to " VPN" so that our tunnel import entries will be installed with the VPN. That makes more sense anyway, since the tunnel settings apply to the VPN feature. See the attached image below.

Report Inappropriate Content · ‎02-18-2005

We have done a custom install using much the same principles described by Jbult, we used Masai to edit out AV and FW, giving us a msi without these options. But from here on we used Inno Installer to create the installation pack. The installer executes the FortiClient.MSI silently and starts a small app we created to personalize the VPL as we use unike user IDâ€™s and pre-shared keys. The app is also used to set client IP. The app modifies the default VPL created to suite our needs and imports it to the registry. The installer also creates a few shortcuts on the desktop and start menu, URL to a VPN-startpage on our intranet RDP shortcut to our terminal server Some help documents Shortcut to the user configuration app if the user would need to change his USRID, Pre-Shared Key or VIP The App to configure the vpl can be found at www.elektromekan.com/extranet/vpn_eng.exe The model VPL file must be named userdata.reg and located in the same folder as the app

Report Inappropriate Content · ‎10-24-2005

I found this helpful. Thanks. I' ve chosen to use the Import VPL function on the client menu so each user can have their own ID rather than embed the tunnel as part of the install. One thing I haven' t figured out yet is how to prevent the Forticlient from running through the config menu after it reboots from the silent install. I would like to have those items preconfigured as well. Can you tell me what I have overlooked or misunderstood?

Report Inappropriate Content · ‎01-31-2005

STEP 5 - Running the Install Once you' ve saved the file and quit the MaSaI Editor, you can copy the 1033.mst file you' ve just edited and the FortiClient.msi file to your test machine to be tested. I recommend you either use a VMWare session or use a PC and drive image program (such as Acronis True Image) which you can use to re-image the PC several times for testing. If you want to test the new transform file we created, simply type

FortiClient.msi TRANSFORMS=1033.mst

When you' re ready to distribute the client, you can use other commands like

FortiClient.msi /qb TRANSFORMS=1033.mst

to run an unattended installation that will display progress and only prompt the user to reboot or

FortiClient.msi /passive TRANSFORMS=1033.mst

for an unattended installation that will display progress to the user, but not prompt them to reboot. There are many other options which you can find by typing in

msiexec /?

That' s it! Hope you find this useful.

UkWizard · ‎02-01-2005

Thanks a lot Jbult, you could of posted this two weeks ago, as i have just worked all this out then. Could of saved me the trouble ...

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

UkWizard · ‎02-01-2005

Nice work on the license and vpl part of it though, i didnt get that far. Well done, i have some command line syntax' s if your interested in starting the vpn automatically (both ipsec and pptp/l2tp).

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

HOWTO: Custom Unattended FortiClient Install

Nominate a Forum Post for Knowledge Article Creation