Fortinet Version 4.0 MR1, FortiClient Endpoint Security 4.0 MR1 Administration Manual
FortiClient Endpoint
Security
Version 4.0 MR1
Administration Guide
™
FortiClient Endpoint Security Administration Guide
Version 4.0 MR1
31 August 2009
04-40001-99556-20090626
© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type.
Dispose of Used Batteries According to the Instructions.
Contents
Contents
Introduction .............................................................................................. 1
About FortiClient Endpoint Security ............................................................................. 1
System requirements.................................................................................................. 1
Supported FortiGate models and FortiOS versions.................................................... 2
Language Support ...................................................................................................... 2
About this Guide ............................................................................................................. 2
Documentation ................................................................................................................ 3
Fortinet Tools and Documentation CD ....................................................................... 3
Fortinet Knowledge Center ........................................................................................ 3
Contact Fortinet technical documentation .................................................................. 3
Customer service and technical support...................................................................... 3
Installation ................................................................................................ 5
Overview .......................................................................................................................... 5
FortiClient software packages ....................................................................................... 5
Windows executable (.exe) installer ........................................................................... 5
MSI installer ................................................................................................................ 5
Installation notes......................................................................................................... 6
Standard FortiClient Installation.................................................................................... 6
Single-user installation................................................................................................ 6
Multiple-user installation ............................................................................................. 7
Custom Installer Packages ..................................................................... 9
Overview .......................................................................................................................... 9
Creating a customized installer using FCRepackager ................................................ 9
Creating the MST file with no command line parameters......................................... 10
Creating the sample installation................................................................................ 10
Performing additional customizations ....................................................................... 11
Creating the custom MSI installation file................................................................... 12
Customizing the FortiClient application for enterprise licensing ............................... 13
Deploying the customized FortiClient application ..................................................... 13
Transferring customizations to later versions of FortiClient...................................... 13
Customizing the installer using an MSI editor ........................................................... 14
Creating a FortiClient custom installation ................................................................. 15
Suppressing Features............................................................................................... 15
Sample command lines ............................................................................................ 15
Specifying install log file............................................................................................ 16
Language transforms................................................................................................ 16
Specifying multiple transforms on the command line ............................................... 16
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 i
http://docs.fortinet.com/ • Feedback
Contents
Deploying the Customized Installation ....................................................................... 16
Endpoint NAC (FortiGate) distribution ...................................................................... 16
Active Directory installation....................................................................................... 17
Shared folder installation .......................................................................................... 17
Managing FortiClient with FortiManager .................................................................... 17
Enabling Remote Management with FortiManager .................................................. 18
Advanced Scenarios..................................................................................................... 20
Installing FortiClient as part of a cloned disk image ................................................. 20
Installing FortiClient on cloned computers................................................................ 20
Installing FortiClient on Citrix servers ....................................................................... 20
Configuring AntiLeak for FortiClient.......................................................................... 21
FortiClient Licensing ............................................................................. 23
Overview ........................................................................................................................ 23
Standard fixed licensing............................................................................................... 23
Enterprise licensing...................................................................................................... 24
Configuring enterprise licenses ................................................................................ 24
Creating enterprise client license keys ..................................................................... 25
Deploying enterprise client license keys................................................................... 25
Creating customized FortiClient installers ................................................................ 25
Corporate Security Policies .................................................................. 27
Overview ........................................................................................................................ 27
User view of security policy ...................................................................................... 27
Configuring a corporate security policy ..................................................................... 28
Endpoint Network Access Control ....................................................... 29
Overview ........................................................................................................................ 29
Enforcing use of FortiClient software ......................................................................... 29
Configuring FortiGuard Services ................................................................................ 30
Setting the FortiClient version..................................................................................... 30
Uploading the FortiClient installer to your FortiGate unit .......................................... 32
Enabling Endpoint Control........................................................................................... 32
Creating Endpoint Control profiles............................................................................ 32
Creating an Application Detection List...................................................................... 33
Applying an Endpoint Control profile to a firewall policy ........................................... 36
Monitoring Endpoints ................................................................................................ 37
Creating FortiClient VPNs ..................................................................... 39
Overview ........................................................................................................................ 39
Configuring VPN connections using FortiClient........................................................ 39
Configuring VPN connections on FortiGate units ..................................................... 39
About split tunneling ................................................................................................. 40
ii 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Contents
Configuring VPN connections using FortiManager................................................... 40
Configuring VPN connections using custom installations....................................... 41
Configuring the FortiGate gateway as a policy server .............................................. 41
Per-User Web Filtering .......................................................................... 43
Overview ........................................................................................................................ 43
Web filtering on Windows networks.......................................................................... 43
Web filtering for remote users................................................................................... 43
Configuring web filtering.............................................................................................. 43
Managing FortiClient computers............................................................................... 44
Defining web filter profiles......................................................................................... 45
Configuring LDAP settings........................................................................................ 45
Assigning web filter profiles ...................................................................................... 45
Configuring VPNs without FortiClient Endpoint Security.................. 47
Overview ........................................................................................................................ 47
Using the FortiClient VPN Editor ................................................................................. 47
Importing VPN tunnel settings .................................................................................. 48
Configuring VPN tunnel settings............................................................................... 48
Configuring certificates for FortiClient VPN .............................................................. 50
Exporting configurations to the FortiClient VPN installer ........................................ 50
Using the FortiClient API....................................................................... 51
Overview ........................................................................................................................ 51
Controlling a VPN.......................................................................................................... 51
Linking to the COM library ........................................................................................ 51
Retrieving a list of VPN connection names............................................................... 52
Opening the VPN tunnel........................................................................................... 52
Responding to XAuth requests ................................................................................. 52
Monitoring the connection......................................................................................... 53
Setting and monitoring a security policy.................................................................... 53
Setting a security policy ............................................................................................ 54
Reading a security policy.......................................................................................... 54
Monitoring policy compliance.................................................................................... 54
Making the FortiClient application comply with the policy......................................... 55
API reference ................................................................................................................. 56
Appendix A: Installer Public Properties............................................... 57
Index .................................................................................61
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 iii
http://docs.fortinet.com/ • Feedback
Contents
iv 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Introduction About FortiClient Endpoint Security
Introduction
This chapter introduces you to FortiClient Endpoint Security software and the following
topics:
• About FortiClient Endpoint Security
• Documentation
• Customer service and technical support
About FortiClient Endpoint Security
FortiClient Endpoint Security is a unified security agent for Windows computers that
integrates personal firewall, IPSec VPN, antivirus, anti-spyware, anti-spam and web
content filtering into a single software package.
With the FortiClient application, you can:
• create VPN connections to remote networks including SSL VPN connections,
• scan your computer for viruses,
• configure real-time protection against viruses and unauthorized modification of the
Windows registry,
• restrict access to your system and applications by setting up firewall policies,
• apply Endpoint Network Application Control (NAC) to monitor and control applications
running on endpoints,
• use WAN Optimization to improve the efficiency of communication across the WAN,
• configure web filtering to process all web content against known malicious URLs to
block inappropriate material and malicious scripts including Java applets, cookies, and
ActiveX scripts entering the network,
• filter incoming email on your Microsoft Outlook® and Microsoft Outlook® Express to
collect spam automatically,
• use the remote management function provided by the FortiManager System.
System requirements
To install FortiClient 4.1 you need:
• A PC-compatible computer with Pentium processor or equivalent
• Compatible operating system and minimum RAM:
• Microsoft Windows 2000: 128 MB
• Microsoft Windows XP 32-bit and 64-bit: 256 MB
• Microsoft Windows Server 2003 32-bit and 64-bit: 384 MB
• Microsoft Windows Vista: 512 MB
• Microsoft Windows 7: 512 MB
• a compatible email application for the AntiSpam feature:
• Microsoft Outlook 2000 or later
• Microsoft Outlook Express 2000 or later
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 1
http://docs.fortinet.com/ • Feedback
About this Guide Introduction
• a compatible email application for the AntiLeak feature:
• Microsoft Outlook 2000 or later
• 100 MB hard disk space
• Native Microsoft TCP/IP communications protocol
• Native Microsoft PPP dialer for dial-up connections
• an Ethernet connection
Note: The FortiClient software installs a virtual network adapter.
Supported FortiGate models and FortiOS versions
The FortiClient software supports all FortiGate models running FortiOS version 2.36, 2.5,
2.8, 3.0 and 4.0.
Language Support
The FortiClient Endpoint Security user interface and documentation is localized for:
• English
•French
• Simplified Chinese
• Japanese
• Korean
The FortiClient installation software detects which code page the computer is using and
installs the matching language version. For any languages other than the above are
detected, the English version of the software is installed.
About this Guide
This Administration Guide contains the following chapters:
• Installation describes several types of FortiClient installation beyond the simple end-
• Custom Installer Packages describes how to create a customized installation package
• Corporate Security Policies describes how you can require users to comply with a
• FortiClient Licensing describes how to manage enterprise licensing of FortiClient
• Enforcing use of FortiClient describes how to enforce use of FortiClient Endpoint
• Creating FortiClient VPNs describes how to configure VPNs on FortiGate units to work
• Configuring VPNs without FortiClient Endpoint Security describes how to configure
user installations described in the FortiClient Endpoint Security User Guide.
to deploy to users in an organization. The customized installation can include enabling
centralized management by a FortiManager server.
security policy to use VPN tunnels. The policy can require users to enable firewall, realtime antivirus protection, web filtering or antispam.
computer, using either a volume license or a re-distributable license.
Security using a FortiGate unit that can check hosts for the presence FortiClient
Endpoint Security.
with the VPN client feature of FortiClient Endpoint Security.
FortiClient VPN, a light VPN client that you can distribute to users who do not have
FortiClient Endpoint Security.
2 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Introduction Documentation
• Using the FortiClient API describes the COM-based FortiClient API.
• Per-User Web Filtering describes how to deploy the FortiClient application to perform
web filtering customized for each user on a Microsoft Windows network. For larger
deployments, a FortiManager system is used to manage web filter profiles.
Documentation
This manual, the FortiClient Endpoint Security Administration Guide, provides information
about deploying the FortiClient application in your organization.
The FortiClient Endpoint Security User Guide and the FortiClient online help provide
information and procedures for using and configuring the FortiClient software.
Information about FortiGate Antivirus Firewalls is available from the FortiGate online help
and the FortiGate Administration Guide.
Fortinet Tools and Documentation CD
All Fortinet documentation is available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. (You do not receive this CD if you download the
FortiClient application.) The documents on this CD are current at shipping time. For up-todate versions of Fortinet documentation visit the Fortinet Technical Documentation web
site at http://docs.forticare.com.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet Knowledge
Center. The knowledge center contains troubleshooting and how-to articles, FAQs,
technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at
http://kb.fortinet.com.
Contact Fortinet technical documentation
You can send information about errors or omissions in this document or any Fortinet
technical documentation to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
systems install quickly, configure easily, and operate reliably in your network.
Please visit the Fortinet Technical Support web Site at http://support.fortinet.com to learn
about the technical support services that Fortinet provides.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 3
http://docs.fortinet.com/ • Feedback
Customer service and technical support Introduction
4 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Installation Overview
Installation
This chapter describes how to install FortiClient.
This chapter contains the following sections:
• Overview
• FortiClient software packages
• Standard FortiClient Installation
Overview
You can install FortiClient directly from the Fortinet Web site or from a custom location,
such as your network.
FortiClient software packages
Fortinet provides different installation packages for FortiClient software. The two main
types of default installation packages for FortiClient software are:
• a Windows executable (.exe) file
• a .zip file (compressed archive) containing a Microsoft Installer (MSI) package,
language transform files and the FCRepackager tool
The 64-bit versions of these files have “_x64” in the name. If you are running 64-bit
Windows, you must use a 64-bit installation package.
Windows executable (.exe) installer
The Windows executable (.exe) installer provides easy installation on a single computer
by the end user. Any existing FortiClient installation on the computer is upgraded. The
FortiClient Endpoint Security User Guide provides information about using these
installers.
To install the FortiClient software - Windows executable installer
1 Double-click the FortiClient installer program file.
2 Follow the instructions on the screen, selecting Next to proceed through the installation
options.
When the installation has completed, the FortiClient Configuration Wizard begins,
unless you are upgrading an existing installation.
MSI installer
The MSI installer in the .zip file package is customizable for a larger roll-out to many
computers in an organization. This customization procedures in this chapter use the .zip
file package exclusively. You can deploy the customized MSI installer to your users and
they can install it following the simple instructions in the FortiClient Endpoint Security User
Guide. You can preconfigure all application settings, including the configuration for
centralized management by a FortiManager system. For more information, see “Custom
Installer Packages” on page 9.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 5
http://docs.fortinet.com/ • Feedback
Standard FortiClient Installation Installation
You can upgrade an existing FortiClient installation by installing a newer version of the
software. To upgrade using an MSI installer, you can double-click the MSI file or use the
following commend line:
msiexec /i FortiClient.msi
To install the FortiClient software - MSI installer
1 Extract the files from the FortiClient Setup .zip archive into a folder.
2 To perform a new installation or upgrade an existing installation, double-click the
FortiClient.msi file.
3 Follow the instructions on the screen, selecting Next to proceed through the installation
options.
When the installation has completed, the FortiClient Configuration Wizard begins,
unless you are upgrading an existing installation.
Installation notes
These notes describe special conditions that apply to specific types of installations.
• Installing on Windows Vista SP1 — Make sure that Windows is not installing updates
while you install the FortiClient application. If Windows Update has run and it
requested a reboot, be sure to reboot your computer before installing the FortiClient
application.
• Installing on servers — When installing FortiClient Endpoint Security on a server,
follow the antivirus guidelines for other products installed on the server. You might
need to exclude from antivirus scanning certain files and directories such as Exchange
Server, SQL Server and other software with database back-ends.
Note: If FortiClient is directly installed on SQL or Exchange server, the AntiVirus > Server
Protection window is disabled. To enable antivirus server protection, use the msi package
with the public property WITHEXCHANGE=1. For example: msiexec /i
forticlient.msi WITHEXCHANGE=1
Note: While Windows Server is supported, Fortinet does not recommend installing
FortiClient onto Domain Controllers.
• Installing from a drive created with subst — Installing from an MSI package does
not work if the MSI file is located on a drive created with the subst command. You can
do any of the following:
• specify the real path to the file
• move the MSI file to a location where this is not an issue
• use the .exe installer instead, if possible
Standard FortiClient Installation
Single-user installation
User can install the standard FortiClient application through such methods such as
downloading it from the FortiClient Web site or using a CD. For more information on
installing FortiClient, see the FortiClient User Guide or QuickStart Guide.
6 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Installation Standard FortiClient Installation
Multiple-user installation
You can use the FortiGate’s Web Config to manage the version of FortiClient (endpoint
control) running on multiple computers. See “Enforcing use of FortiClient software” on
page 29 for more information.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 7
http://docs.fortinet.com/ • Feedback
Standard FortiClient Installation Installation
8 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Custom Installer Packages Overview
Custom Installer Packages
This chapter describes how to create a custom MSI package for FortiClient Endpoint
Security that you can deploy to your users. The customized installation can include the
necessary configuration for central management by a FortiManager system.
This chapter contains the following sections:
• Overview
• Creating a customized installer using FCRepackager
• Customizing the installer using an MSI editor
• Deploying the Customized Installation
• Managing FortiClient with FortiManager
• Advanced Scenarios
Overview
This chapter describes two methods of producing a custom MSI installer: using
FCRepackager and using the MSI editor. The FCRepackager tool is included in the
FortiClientTools.zip file and is the recommended method to use.
With both types of customized installation, you can:
• set which features are installed
• include the FortiClient license key
• enable or disable the installation wizard
• enable or disable update scheduling
• set update schedule randomly on install
• enable or disable upgrade of existing installation
• enable management by a FortiManager system and set the FortiClient Manager
lockdown password
You can simply give your users the customized package to install. It works the same way
as the standard installer provided by Fortinet. There are several other ways to distribute
the customized installer, including a network installer image, Windows Active Directory
server or the FortiClient host check feature on some FortiGate units. These are described
in the “Installation” chapter.
Creating a customized installer using FCRepackager
FCRepackager is designed to speed up the creation of customized FortiClient installation
packages. This tool will create a Microsoft Transform (MST) file from the current
FortiClient installation settings. The current settings can be packed into an MST file by
running the FCRepackager with no command line parameters.
Optionally, you write the current installation settings into a FortiClient.msi file, so that endusers do not need to use the command line to incorporate MST files. To create a custom
msi file, see “Creating the custom MSI installation file” on page 12.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 9
http://docs.fortinet.com/ • Feedback
Creating a customized installer using FCRepackager Custom Installer Packages
Using the FCRepackager tool, you can create a custom installation package in a few
steps:
1 Configure FortiClient. FortiClient must be installed and configured with the settings
that you want installed on the end-user computers.
2 Create a custom installation package using either FCRepackager or an MSI editor. The
FCRepackager application is easier to use.
3 Install the customized FortiClient application on your users’ computers. With the proper
administrative permissions, users can even do this themselves.
Creating the MST file with no command line parameters
In order to create an mst file, you need to use the FCRepackager tool. The FCRepackager
tool can be extracted from the FortiClientTools.zip file. The FortiClientTools.zip file can be
downloaded from the Fortinet Support Web site.
You also need to have FortiClient installed and configured with your desired settings to
create the custom mst file.
For more information and examples for creating a customized mst file using switches and
switch parameters, see the FCRepackager_Readme.txt file that comes in the
FortiClientTools.zip file.
To create the mst file with no command line parameters
1 Download the FortiClientTools.zip file from the Fortinet Support Web site and extract
the files into a folder.
2 Ensure FortiClient is installed and configured with the desired settings. The mst file is
created based on your current FortiClient settings.
3 Run the FCRepackager application. The FortiClient.mst file is automatically created in
the same directory.
Creating the sample installation
You must create a sample installation on a computer running one of the supported
operating systems. See “System requirements” on page 1. The computer should not
already have the FortiClient application installed.
The ADMINMODE=1 option used in the following procedure enables you to make registry
changes to your sample installation, which some customizations require. Also, this option
permits modification of files in the FortiClient program directory, which normally only the
FortiClient application can access. You should not use the ADMINMODE=1 option when
you install of the FortiClient application onto your users’ computers.
To perform the sample installation of the FortiClient software
1 Expand the FortiClient Endpoint Security installer .zip package into a new folder.
2 From the folder where you expanded the .zip package, install the FortiClient
application use the following command line:
• if FortiClient applications will not be centrally managed
msiexec /i FortiClient.msi ADMINMODE=1
The FortiClient application wizard starts. Follow the wizard to install the features you
require. Reboot the computer if the installer requests it. When the computer restarts,
the FortiClient installation wizard continues.
10 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Custom Installer Packages Creating a customized installer using FCRepackager
3 Continue configuring the application. The wizard Advanced Setup option covers
security zones, proxy settings, update settings and AV scan settings. These can also
be configured later.
4 Configure the sample installation as you want the FortiClient application to be
configured on your user’s computers.
5 Optionally, perform additional customizations as described in “Performing additional
customizations” on page 11.
See the FortiClient Endpoint Security User Guide for information about configuring
each of the FortiClient features.
Performing additional customizations
You can edit the registry to make additional customizations to your FortiClient installation.
Hiding the FortiTray
1 Using regedit or regedt32, edit the following key:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_FORTITRAY
2 Set the key value to 0.
Permitting fallback to public FDS servers
Managed FortiClient computer receive push updates for antivirus definitions. Mobile users
might not always be able to connect to the FortiManager unit. Optionally, you can
configure FortiClient to use the default public FDS servers when necessary.
To permit fallback use of public FDS servers
1 Using regedit or regedt32, create the following DWORD value:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_UPDATE\
FallbackToDefault
2 Set the value to 1.
Disabling saving of VPN XAUTH passwords
This customization prevents users from saving their XAUTH passwords.
To disable saving of XAUTH passwords
1 Using regedit or regedt32, edit the following key:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_IKE\
2 Add the value DontRememberPassword as a DWORD under the key.
3 Set the value of DontRememberPassword to 1.
Disabling web filter rating of IP addresses
The FortiClient web filter requests ratings from the FortiGuard web filtering service for both
the URL and the IP address. Optionally, you can disable the rating of IP addresses so that
web sites are rated only by URL.
To disable rating of IP addresses
1 Using regedit or regedt32, edit the following key:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_WEBFILTER\
2 Add the value DontRateIP as a DWORD under the key.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 11
http://docs.fortinet.com/ • Feedback
Creating a customized installer using FCRepackager Custom Installer Packages
3 Set the value of DontRateIP to 1.
Blocking all connections that have no firewall rule
By default, if there is no firewall rule for a particular network connection, the FortiClient
application asks the user whether to allow the connection. For an enterprise deployment,
you might prefer to block all connections except those that have a specific firewall rule to
permit them.
To block all connections by default
1 Using regedit or regedt32, edit the following key:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_FCM\firewallbehavior
2 Set the key value to 0.
Changing the certificate key size
The default VPN certificate key size in FortiClient v4.0 is 2048 bits. You can change the
size.
To change the certificate key size
1 Using regedit or regedt32, edit the following key:
HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_CERT\key_size
2 Set the key value to one of: 1 (1024 bits), 15 (1536 bits), 2 (2048 bits), 3 (3072 bits) or
4 (4096 bits).
Creating the custom MSI installation file
With the sample application configured as you want for your users, you can create a
custom MSI installer file for your customized FortiClient application.
1 Determine the command line options you need for your customized FortiClient installer
from the following table.
Table 1: FCRepackager options
Specify license key (for standard fixed license or
volume license from FDS, not for enterprise license)
Lock down program for FortiManager.
Specify the plain text password.
Set random AV update time between specified hours.
The sample installation must contain an update
schedule.
Specify which features can be installed.
The resulting .msi file cannot be used for upgrades,
only for new installations.
If the -i option is not specified, all features are available
for installation.
Shrink the .msi file by removing files for unused
features. Valid only when used with -m option.
-k <license_key>
-L <lockdown_password>
-s <start_hour>-<end_hour>
-i <feature1>[,<feature2>] ...
Features are:
AV Antivirus
VPN Virtual Private Network
FW Firewall
WF Web filter
AS Antispam
AL AntiLeak
Note: feature names are case-sensitive.
-z
Refer to the FCRepackager_Readme.txt file for more information about command line
options.
12 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Custom Installer Packages Creating a customized installer using FCRepackager
2 In the folder where you expanded the installer .zip package, execute the following
command line:
FCRepackager -m FortiClient.msi <options from step 1>
A new subdirectory is created, named transformed. It contains the new FortiClient.msi
file.
Customizing the installer language
You can further modify your customized installer with one of the language .mst files
provided in the installer .zip file. This must be done as a separate step from the
customizations described previously. The language files are:
• 1033.mst = US English (default)
• 1036.mst = French
• 1041.mst = Japanese
• 2052.mst = Simplified Chinese
• 1028.mst = Traditional Chinese
For example, to change your customized installer language to French, execute the
following command in the folder where you expanded the installer .zip package:
FCRepackager -t 1036.mst -m transformed\FortiClient.msi
Customizing the FortiClient application for enterprise licensing
If you use enterprise licensing for your FortiClient computer, your FortiClient installer
needs specific additional customization. For more information, see “Enterprise licensing”
on page 24.
Deploying the customized FortiClient application
You can distribute your new FortiClient.msi file to users. Users simply double-click the file
to begin installation. On a Windows Advanced Server network, you can install the
application on end users’ computers remotely. See “Active Directory installation” on
page 17.
VPN certificates can be added to the customized installer.Use the FortiClientVPNEditor
file located in the FortiClientVPNTools .zip file. It can be used to embed VPN tunnels into
the FortiClient MSI file. See “Using the FortiClient VPN Editor” on page 47 for more
information.
Transferring customizations to later versions of FortiClient
When a newer version of FortiClient Endpoint Security is released, your existing users can
simply run the FortiClient installer and upgrade while keeping the customized settings. For
new users, you will need to create a customized version of the new installer.
To customize the newer FortiClient installer, you do not need to repeat all of the
customization steps described previously in this section. When you create your first
customized FortiClient installer, you can also save your customizations to a transform
(.mst) file. Simply run FCRepackager.exe again with no parameters. The output is a file
named FortiClient.mst.
To modify the new FortiClient .msi installer with your saved customizations, use the
following command:
FCRepackager -t FortiClient.mst -m FortiClient.msi
If the files are not in the current directory, you need to specify the path to them.
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 13
http://docs.fortinet.com/ • Feedback
Customizing the installer using an MSI editor Custom Installer Packages
Caution: If you are using FortiClient version 4.0 or lower, the .mst files from those versions
are incompatible with FortiClient v4.0 MR1 and above. Therefore, you cannot use the
FCRepackager -t FortiClient.mst -m FortiClient.msi command.
Note: An MSI installation package can upgrade an existing installation only if it has the
same name as the original installation package. If necessary, rename the upgrade
installation package to match the file name of the previous customized FortiClient
installation package you provided to your users.
Customizing the installer using an MSI editor
Use an MSI editor to create a custom FortiClient installation package. For example, you
can use the MSI property LICENSE to include your license key. You can create and set
this property in the property table, or you can specify it on the command line using the
following command:
msiexec /i FortiClient.msi LICENSE=1234567890abc
Note that the installation will not abort if you specify an invalid license key. For a complete
list of installer public properties that can be specified when installing FortiClient, see
“Appendix A: Installer Public Properties” for more information. The installer public
properties can also be embedded into the MSI by using an MSI editing tool to make
changes to the MSI’s property table.
It is recommended that you use this method only if you are familiar with the MSI editor and
you only want to customize a few specific items. Do not edit the MSI file directly. Create a
transform file that contains the configuration changes you require. The transform file is
applied to the original MSI file at run time by the msiexec.exe executable file. Creating a
transform file takes a bit more time than editing the MSI file directly, however it will save
you time in the long run as you can apply the same transform file to future FortiClient
releases.
Caution: You must follow the editing rules described in this section. Ignoring these rules
may result in a custom installation that cannot be upgraded or patched by future releases of
FortiClient.
If possible, avoid modifying any other components. FortiClient sub-features do not support
“Advertised” installations.
The following rules MUST be followed:
• never delete a feature you do not need. If you do not need a feature, set the install level
to 0.
• never delete a component you do not need.
• never move a component from one feature to another.
• never modify the installation UI or installation execution order.
• never rename ANY existing component or feature.
• never change the component code of ANY existing component.
• never change the PRODUCTCODE.
• never change the UPGRADECODE.
• never add new features to the root of the feature tree. If you really need to add a
feature, add it as a sub-feature of an existing FortiClient feature. However, before you
add a feature, question why you are adding a feature and what you are trying to
accomplish.
14 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Custom Installer Packages Customizing the installer using an MSI editor
Creating a FortiClient custom installation
Use an MSI editor and the original FortiClient MSI installation file for the following
procedure. These instructions assume you know how to:
• use an MSI editor
• use the command line msiexec commands
• roll out an MSI based installation to your network.
Note: You do not need to edit the MSI to disable the wizard. When you perform a silent or
reduced UI installation, the MSI automatically disables the FortiClient Wizard from
executing after rebooting the computer.
To create and test a custom FortiClient installation
1 Make a copy of the FortiClient.msi file and rename the copy (i.e. “target.msi”).
2 Open “target.msi” with an MSI editor and add your modifications to it.
3 Save the changes you made to the “target.msi” file and close the file.
4 With your MSI editor, make a transform file (*.mst)
• The base package must be FortiClient.msi.
• The target package must be target.msi.
• Give the .mst file a suitable name. We suggest you include the version of FortiClient
that was used to create the transform. For example, custom_4.0.mst.
5 Test the installation by installing the baseline package with the transform onto a single
computer. Use the following command:
msiexec /i <path to package>FortiClient.msi
TRANSFORMS=custom_4.0.mst /L*v c:\log.txt
where <path to package> is the path to your package if not in the current directory.
There are no spaces in TRANSFORMS=custom_4.0.mst. There is a space between
TRANSFORMS=custom_4.0.mst and /L*v c:\log.txt.
If there are any errors during installation, the log file is an invaluable source of
information.
6 Test FortiClient to make sure the modifications you made are present and correct. If
there are any mistakes, use your editor to make changes to the .mst file.
7 Test uninstalling the FortiClient software. It is critical that you do this before you roll out
FortiClient to your network. The uninstall must complete without an error or rollback
occurring.
8 Roll out your custom FortiClient installation specifying the transform file.
Suppressing Features
To suppress FortiClient features from installing, create a transform which sets the Install
Level of the feature to 0 (zero).
Sample command lines
• Install FortiClient
msiexec /i <folder of FortiClient.msi>\FortiClient.msi
FMGRENABLED=1 FMGRTRUSTEDIPS=<FortiClientManager IP>
• Upgrade FortiClient
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626 15
http://docs.fortinet.com/ • Feedback
Deploying the Customized Installation Custom Installer Packages
msiexec /i <folder of FortiClient.msi>\FortiClient.msi
FMGRENABLED=1 FMGRTRUSTEDIPS=<FortiClientManager IP>
REINSTALL=ALL REINSTALLMODE=vomus
• Install FortiClient on a computer which is behind a NAT device
msiexec /i <folder of FortiClient.msi>\FortiClient.msi
FMGRENABLED=1 FMGRIP=<FortiClientManager IP>
FMGRENABLEDISCOVER=1
• Upgrade FortiClient on a computer which is behind a NAT device
msiexec /i <folder of FortiClient.msi>\FortiClient.msi
FMGRENABLED=1 FMGRIP=<FortiClientManager IP> REINSTALL=ALL
REINSTALLMODE=vomus FMGRENABLEDISCOVER=1
Specifying install log file
When installing using the MSI file, the install does not create the install log automatically.
For an MSI installation to produce a log, add the following option to the command line:
/L*v <filepath>
For example:
msiexec /i FortiClient.msi /L*v %temp%\logfile.txt
Alternatively, you can install the appropriate logging active directory group policies.
Language transforms
The MST files that ship with the baseline FortiClient package are the English, Japanese
and Simplified Chinese language transforms for the installer user interface:
• 1033.mst = US English
• 1041.mst = Japanese
• 2052.mst = Simplified Chinese
• 1028.mst = Traditional Chinese
Specifying multiple transforms on the command line
You can specify multiple transforms on the command line. Separate each transform with a
semicolon. For example:
msiexec /i <path to package>FortiClient.msi
TRANSFORMS=custom4.0.mst;2052.mst
Deploying the Customized Installation
Endpoint NAC (FortiGate) distribution
You can use the FortiGate’s Web Config to manage the version of FortiClient (endpoint
control) running on multiple computers. See “Enforcing use of FortiClient software” on
page 29 for more information.
You can also update the FTP/HTTP replacement message on the FortiGate so that the
location of the custom installer on your network is shown in the message. Go to System >
Config to edit the replacement messages. See the FortiGate Administration Guide for
more information on replacement messages.
16 04-40001-99556-20090626
FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/ • Feedback
Loading...