Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Siocnarf
New Contributor

Scripting installation of Forticlient 7

Hi,

 

We are using a script to install Forticlient but I have some issues:

1. During the installation, we are getting error saying the Forticlient is manage. This is happening when importing an xml to set the config. We are getting error 2.

2. During uninstall, we are unable to remove the client with msiexec /x saying it is manage. However it is possible if we are doing it with the system account

3. We did a migration from version 6 to version 7 on a computer already connect to VPN, at home. After rebooting, we were unable to select the VPN connection window.

 

Note 1 2023-10-23 - More details:

I will give more details:

1. With Forticlient 6 4.7 and Forticlient 7.0.9

2. During the uninstallation by using the Windows installer command we get the error 1603 The meraning of 1603 is " Forticlient Cannot be modified or removed while it is registered to a remote management server". If we use the system account or another local admin account then it is uninstalling correctly. Is it possible removing it with a domain account? We suppose there is an option in the RMS?!

 

2. Frequently, we get failures, partilarly with Forticlient 7 with that commandline:

C:\Program Files\Fortinet\FortiClient\FCConfig.exe -m all -f "C:\profile_VPN.xml" -o import -i l

Then we get exit code 2

The meaning is "The configuration settings are protected with registration"

Most of the time it is working on Forticlient 6 and failing frenquetly on Forticlient 7.

What should I do to get it working?

This seems to happen with the installation is slower (slow machine or network). So I suppose, on fast install, the software get install before getting registration from RMS?!

 

3. On a migration scenario, I was at home connect with VPN. Then I got the 6 to 7 upgrade and everything was fine. But! After the reboot, I started Forticlient and was not able to reach the VPN access tab, Forticlient was just changing to Zero Trust Telemetry by itself so I was not able to log to VPN, the RMS was not reachable and I was not able to remove Forticlient 7 and reinstall Forticlient 6. 

a. What may cause this issue?

b. In thisscenariom I was needing a scripting way to remove Forticlient. As we have a lot of home user, this scenario will happen a lot and we cannot migrate.

 

Here the XML:

 

<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>0</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>1</preferred_dtls_tunnel>
<keep_connection_alive>1</keep_connection_alive>
<block_ipv6>1</block_ipv6>
<no_dns_registration>0</no_dns_registration>
</options>
<connections>
<connection>
<name>Education</name>
<uid>ACF6E031-9FA8-4878-A021-EC608CDE21CD</uid>
<server>xxx:443</server>
<username/>
<password/>
<certificate/>
<prompt_certificate>0</prompt_certificate>
<prompt_username>1</prompt_username>
<fgt>1</fgt>
<disclaimer_msg/>
<sso_enabled>0</sso_enabled>
<single_user_mode>0</single_user_mode>
<ui>
<show_remember_password>0</show_remember_password>
<show_alwaysup>0</show_alwaysup>
<show_autoconnect>0</show_autoconnect>
<save_username>0</save_username>
</ui>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
<redundant_sort_method>0</redundant_sort_method>
<RedundantSortMethod>0</RedundantSortMethod>
<host_check_fail_warning/>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<isdb_objects>
<object>
<owner>1</owner>
<app>100</app>
</object>
<object>
<owner>1</owner>
<app>105</app>
</object>
<object>
<owner>1</owner>
<app>107</app>
</object>
<object>
<owner>1</owner>
<app>110</app>
</object>
<object>
<owner>2</owner>
<app>100</app>
</object>
<object>
<owner>2</owner>
<app>112</app>
</object>
<object>
<owner>2</owner>
<app>117</app>
</object>
<object>
<owner>5</owner>
<app>102</app>
</object>
<object>
<owner>5</owner>
<app>111</app>
</object>
<object>
<owner>12</owner>
<app>100</app>
</object>
<object>
<owner>18</owner>
<app>100</app>
</object>
<object>
<owner>18</owner>
<app>119</app>
</object>
<object>
<owner>30</owner>
<app>103</app>
</object>
<object>
<owner>33</owner>
<app>100</app>
</object>
<object>
<owner>98</owner>
<app>118</app>
</object>
<object>
<owner>5</owner>
<app>101</app>
</object>
<object>
<owner>5</owner>
<app>200</app>
</object>
<object>
<owner>5</owner>
<app>206</app>
</object>
<object>
<owner>5</owner>
<app>222</app>
</object>
<object>
<owner>5</owner>
<app>223</app>
</object>
<object>
<owner>6</owner>
<app>100</app>
</object>
<object>
<owner>13</owner>
<app>100</app>
</object>
<object>
<owner>17</owner>
<app>100</app>
</object>
</isdb_objects>
<fqdns>
<fqdn>youtube.com</fqdn>
</fqdns>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe</app>
<app>C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE</app>
</apps>
</traffic_control>
</connection>
</connections>
</sslvpn>
<ipsecvpn>
<options>
<enabled>0</enabled>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<beep_if_error>0</beep_if_error>
<usewincert>1</usewincert>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<block_ipv6>1</block_ipv6>
<enable_udp_checksum>0</enable_udp_checksum>
<disable_default_route>0</disable_default_route>
<show_auth_cert_only>0</show_auth_cert_only>
<check_for_cert_private_key>0</check_for_cert_private_key>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<no_dns_registration>0</no_dns_registration>
</options>
<connections/>
</ipsecvpn>
<options>
<current_connection_name/>
<current_connection_type>ssl</current_connection_type>
<autoconnect_tunnel/>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<allow_personal_vpns>1</allow_personal_vpns>
<disable_connect_disconnect>0</disable_connect_disconnect>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<keep_running_max_tries>0</keep_running_max_tries>
<minimize_window_on_connect>1</minimize_window_on_connect>
<use_windows_credentials>0</use_windows_credentials>
<show_negotiation_wnd>1</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

 

 

Thanks,

3 REPLIES 3
ebilcari
Staff
Staff

There are some steps do be considered related to FortiClient EMS before changing FortiClient in the end hosts. This part of documentation will guide you through the steps and compatibility issues for different versions of FCT and EMS. The upgrades can be deployed via EMS, you don't need any custom scripts.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Siocnarf

We are using the same method to deploy all softwares using a script. We are deploying with SCCM. As much as I know by reading your site, it is possible doing it. Actually, we have no issues deploying Forticlient 6 but for an unknown reason the uninstall is no more working when run from an admin account but it is working with the system account.

 

With Forticlient 7, we have may be 30% failure when importing the xml file to set the settings but not on Forticlient 6. The uninstall have the same issue as Forticlient 6.

 

Thanks,

 

Siocnarf

Hi,

I will give more details:

1. With Forticlient 6 4.7 and Forticlient 7.0.9

2. During the uninstallation by using the Windows installer command we get the error 1603 The meraning of 1603 is " Forticlient Cannot be modified or removed while it is registered to a remote management server". If we use the system account or another local admin account then it is uninstalling correctly. Is it possible removing it with a domain account? We suppose there is an option in the RMS?!

 

2. Frequently, we get failures, partilarly with Forticlient 7 with that commandline:

C:\Program Files\Fortinet\FortiClient\FCConfig.exe -m all -f "C:\profile_VPN.xml" -o import -i l

Then we get exit code 2

The meaning is "The configuration settings are protected with registration"

Most of the time it is working on Forticlient 6 and failing frenquetly on Forticlient 7.

What should I do to get it working?

This seems to happen with the installation is slower (slow machine or network). So I suppose, on fast install, the software get install before getting registration from RMS?!

 

3. On a migration scenario, I was at home connect with VPN. Then I got the 6 to 7 upgrade and everything was fine. But! After the reboot, I started Forticlient and was not able to reach the VPN access tab, Forticlient was just changing to Zero Trust Telemetry by itself so I was not able to log to VPN, the RMS was not reachable and I was not able to remove Forticlient 7 and reinstall Forticlient 6. 

a. What may cause this issue?

b. In thisscenariom I was needing a scripting way to remove Forticlient. As we have a lot of home user, this scenario will happen a lot and we cannot migrate.

 

Here the XML:

 

<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>0</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>1</preferred_dtls_tunnel>
<keep_connection_alive>1</keep_connection_alive>
<block_ipv6>1</block_ipv6>
<no_dns_registration>0</no_dns_registration>
</options>
<connections>
<connection>
<name>Education</name>
<uid>ACF6E031-9FA8-4878-A021-EC608CDE21CD</uid>
<server>xxx:443</server>
<username/>
<password/>
<certificate/>
<prompt_certificate>0</prompt_certificate>
<prompt_username>1</prompt_username>
<fgt>1</fgt>
<disclaimer_msg/>
<sso_enabled>0</sso_enabled>
<single_user_mode>0</single_user_mode>
<ui>
<show_remember_password>0</show_remember_password>
<show_alwaysup>0</show_alwaysup>
<show_autoconnect>0</show_autoconnect>
<save_username>0</save_username>
</ui>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
<redundant_sort_method>0</redundant_sort_method>
<RedundantSortMethod>0</RedundantSortMethod>
<host_check_fail_warning/>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<isdb_objects>
<object>
<owner>1</owner>
<app>100</app>
</object>
<object>
<owner>1</owner>
<app>105</app>
</object>
<object>
<owner>1</owner>
<app>107</app>
</object>
<object>
<owner>1</owner>
<app>110</app>
</object>
<object>
<owner>2</owner>
<app>100</app>
</object>
<object>
<owner>2</owner>
<app>112</app>
</object>
<object>
<owner>2</owner>
<app>117</app>
</object>
<object>
<owner>5</owner>
<app>102</app>
</object>
<object>
<owner>5</owner>
<app>111</app>
</object>
<object>
<owner>12</owner>
<app>100</app>
</object>
<object>
<owner>18</owner>
<app>100</app>
</object>
<object>
<owner>18</owner>
<app>119</app>
</object>
<object>
<owner>30</owner>
<app>103</app>
</object>
<object>
<owner>33</owner>
<app>100</app>
</object>
<object>
<owner>98</owner>
<app>118</app>
</object>
<object>
<owner>5</owner>
<app>101</app>
</object>
<object>
<owner>5</owner>
<app>200</app>
</object>
<object>
<owner>5</owner>
<app>206</app>
</object>
<object>
<owner>5</owner>
<app>222</app>
</object>
<object>
<owner>5</owner>
<app>223</app>
</object>
<object>
<owner>6</owner>
<app>100</app>
</object>
<object>
<owner>13</owner>
<app>100</app>
</object>
<object>
<owner>17</owner>
<app>100</app>
</object>
</isdb_objects>
<fqdns>
<fqdn>youtube.com</fqdn>
</fqdns>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe</app>
<app>C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE</app>
</apps>
</traffic_control>
</connection>
</connections>
</sslvpn>
<ipsecvpn>
<options>
<enabled>0</enabled>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<beep_if_error>0</beep_if_error>
<usewincert>1</usewincert>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<block_ipv6>1</block_ipv6>
<enable_udp_checksum>0</enable_udp_checksum>
<disable_default_route>0</disable_default_route>
<show_auth_cert_only>0</show_auth_cert_only>
<check_for_cert_private_key>0</check_for_cert_private_key>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<no_dns_registration>0</no_dns_registration>
</options>
<connections/>
</ipsecvpn>
<options>
<current_connection_name/>
<current_connection_type>ssl</current_connection_type>
<autoconnect_tunnel/>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<allow_personal_vpns>1</allow_personal_vpns>
<disable_connect_disconnect>0</disable_connect_disconnect>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<keep_running_max_tries>0</keep_running_max_tries>
<minimize_window_on_connect>1</minimize_window_on_connect>
<use_windows_credentials>0</use_windows_credentials>
<show_negotiation_wnd>1</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

 

 

Top Kudoed Authors