Tuesday, July 5, 2022

Fortinet VPN Profile distribution with MDM

Fortinet Document Library has a documented routine for distributing the FortiClient application with Intune to Microsoft Windows. This routine is working Ok, but it is missing information on how to distribute the VPN profiles to the client. This will be the topic for this post.

Installation of the FortiClient application

Please read and follow the document in Fortinet Document Library covering the topic of configuring the FortiClient application in Intune. During this routing you need to download the current FortiClient VPN client and start the downloaded EXE file to download the actual MSI installation. This could be wise to do in a Windows Sandbox environment. You will find the MSI file in the newest folder with {randomguid} name under %localappdata%\Temp\.

After this routine has been setup and you have the app distributed to a group and installed, you will find the application available in the system tray on the devices.
FortiClient without VPN profile

The problem here, is the missing VPN profile for connecting your client to the service.

Installation of FortiClient VPN Profile

I am using proactive remediations to distribute the VPN profile to the Windows devices. This means a prerequisite for an appropriate license SKU.

The scripts used for detection and remediation is located in my GitHub account.

The detection script checks if a defined VPN profile folder exists in the local Registry.
<#
  .NOTES
  ===========================================================================
   Created on:    27.06.2022
   Created by:    Simon Skotheimsvik
   Filename:      FortinetVPNProfile-Detect.ps1
   Instructions:    https://skotheimsvik.blogspot.com/
  ===========================================================================
 
  .DESCRIPTION
    This script will detect if VPN profile is present
#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
  Write-Host "Not existing"
  Exit 1
}
Else {
  Write-Host "OK"
  Exit 0
}

The remediation script will kick in if the detection script finds the profile to be missing.
<#
  .NOTES
  ===========================================================================
   Created on:      27.06.2022
   Created by:      Simon Skotheimsvik
   Filename:        FortinetVPNProfile-Remediation.ps1
   Instructions:    https://skotheimsvik.blogspot.com/
  ===========================================================================
 
  .DESCRIPTION
    This script will create a VPN profile
#>

# Defining variables for the VPN connection
$VPNName = "Simons VPN"
$Server = "vpn.skotheimsvik.no:443"

# Install VPN Profiles
New-Item "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Description' -Value $VPNName -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'Server' -Value $Server -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptusername' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'promptcertificate' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName" -Name 'ServerCert' -Value '1' -PropertyType String -Force -ea SilentlyContinue;

if ((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$VPNName") -ne $true) {
    $exitCode = -1
}
else {
    $exitCode = 0
}

exit $exitCode

This script package should now be added as a proactive remediation package under Microsoft Endpoint Manager. Assign the package to the same group of computers as the FortiClient installation and set an appropriate schedule.





As soon as the remediation script hits your Windows devices, the FortClient will get updated with the assigned VPN Profiles.

Complementary information

You can find a routine from Alex Durrant in letsconfigmgr.com describing a complete routine deploying FortiClient VPN and Profiles in one run. This has been tested as a good routine! If you have however followed the documentation from Fortinet Document Library or you need to change or add VPN profiles, you need my proactive remediation routine to automate the VPN profiles for your environment.


2 comments:

  1. A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post.

    Fortinet Support
    Fortinet Services and Support

    ReplyDelete