FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
tsimeonov_FTNT
Article Id 196305

Description


To enable DNS registration option for SSLVPN clients when the FortiClient participates in FSSO, special steps must be followed.

Specifically, there is an additional registry value which needs to be changed.

Complete the Following Steps:

1) Enable DNS registration under Network properties:

Tsvetan_fortissl_proper.JPG Tsvetan_fortissl_IP4_proper.JPG Tsvetan_fortissl_regDNS_enabled.JPG

2a) If FortiClient version is 5.2.1 or earlier or if FortiClient is unmanageable.
note: All steps have to be applied under workstation administrator account

2a.1) shutdown Forticlient.
2a.2) net stop fortishield.
2a.3) Start CMD with administrator privileges and add following registry:


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FortiClient\Sslvpn]
"WinDnsCacheService"=dword:00000003


2a.4) net start fortishield.
2a.5) start Forticlient.

2b) Alternatively, if the FortiClient is manageable by FGT and the FC version is 5.2.2 and above, all steps from 2a could be automated by adding the following XML into the FC's configuration XML script.


<dnscache_service_control>3</dnscache_service_control>


For example:


<?xml version="1.0" encoding="UTF-8" ?>
<forticlient_configuration>
    <partial_configuration>1</partial_configuration>
    <os_version>windows</os_version>
    <vpn>
        <sslvpn>
            <options>
                <enabled>1</enabled>
<dnscache_service_control>3</dnscache_service_control>
                <!--0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange-->                
            </options>
        </sslvpn>
    </vpn>
</forticlient_configuration>

Contributors