Deploying FortiClient VPN with Active Directory
Part of the PC build that I recently blogged about involved making sure that, if Boris instigates another lockdown, the call centre agents could just pick their PC and take it home to carry on working. The PCs that are being rolled out are small formfactor Dell mini-PCs which come with built in wireless, so pretty much perfect.
Obviously there will need to be connectivity back to our core network, so a pre-configured VPN client for each campaign was a must. We use Fortinet units for our firewall, so I needed a way to easily deploy the FortiClient VPN software. Fortinet does provide the client as a MSI file (behind their login wall), but it's the full-fat client that A) needs a license, and B) has more than the bare minimum and I wouldn't want to confuse our users... With this in mind I've had to cobble together a solution which I now seem to have working quite nicely.
Acquiring The Package
The first hurdle is getting hold of an MSI package for the VPN only client. First you need to download the EXE from here and start the installation. When you get to the "Welcome to the FortiClient VPN Setup Wizard" hold off with further clicking.
Open up a file explorer and go to C:\ProgramData\Applications\Cache\{GUID}\WhateverVersionOfFortiClient\ and copy FortiClientVPN.MSI to your deployment location of choice.
Finish up the install as we're going to use this to create the config file.
Build Your Config File
Once you have the software installed you'll need to setup and test your VPN tunnel. If you're happy that it works then we can move on to exporting that config.
Fire up an administrator command prompt and navigate to C:\Program Files\Fortinet\FortiClient. The tool we need should be in here and is called FCConfig.exe. You'll need to run:
FCConfig -m all -f <filename> -o export -i 1 -p <encrypted password>
Provided there aren't any issues you should now have a config file for your desired tunnel profile.
Deploying With AD
The final part of this is actually pushing your software and config out to your clients. I've done this by using a batch script, the above MSI, and Group Policy. You'll need to put your MSI, script, and config files somewhere where they can be deployed from. We tend to use the NETLOGON folder.
The script is:
C:\Program Files\Fortinet\FortiClient\FCConfig.exe -m vpn -f \\path\to\your\deployment\share\<filename> -o exportvpn -i 1 -p <encrypted password>
Save this as SomethingSensible.bat. Once this is done you can open up your Group Policy management console, create yourself a GPO, and open it up for editing.
For the MSI you'll need to navigate to Computer Configuration>Policies>Software Settings>Software Installation. From here you can add and assign the MSI.
For the script you need Computer Configuration>Policies>Windows Settings> Scripts (Startup/Shutdown)>Startup. Add the script you created above and then close your dialogue boxes.
Now you can test by applying the GPO to a test OU and trying it out on a couple of machines. Once the software is installed you should test that the config works by connecting to your VPN. You won't be able to do this from inside your network, you'll need to either take a machine elsewhere or tether to your phone.
If you have any issues with the deployment I would suggest starting your troubleshooting with checking permissions on your deployment share and checking the file paths in your batch script.
I hope someone finds this useful and saves themselves the headache of trawling through Google as I've had to!