Appendix A – Deployment Scenarios
Basic FortiClient profile
In this scenario, you want to configure a FortiClient profile by using the FortiGate GUI. When clients connect FortiClient Telemetry to FortiGate, they will receive the settings configured in the FortiClient profile. You can configure the default profile, or create a new profile. When creating a new profile, you have additional options to specify device groups, user groups, and users.
Create a basic FortiClient profile:
- In the FortiGate GUI, go to Security Profiles > FortiClient Profiles. You can either select the default FortiClient profile or select Create New in the toolbar. The Edit Endpoint Profile page opens.
The default FortiClient profile does not include the Assign Profile To setting.
- Set the profile settings as required, and click OK.
Advanced FortiClient profile
In this scenario, you have created a custom XML configuration file. The custom file includes all settings required by the client at the time of deployment. When FortiClient connects Telemetry to FortiGate or EMS, you want to ensure that the client receives the full XML configuration. For future configuration changes, you can edit the XML in the profile by using EMS.
To reduce the size of the FortiClient XML configuration file, you can delete all help text found within the <!– …. –> comment tags.
Create an advanced FortiClient profile with the full XML configuration provisioned:
- In EMS, go to Endpoint Profiles > Add a new profile.
- Select the Advanced.
- (Optional) On Install tab, select a FortiClient installer.
- On the Configuration tab, overwrite the XML by pasting the XML from your custom XML configuration file into the pane.
- Open the FortiClient XML configuration file in a source code editor.
- Copy the FortiClient XML.
- Paste the FortiClient XML into the Configuration tab.
- Click Save.
Use Active Directory Groups Appendix A – Deployment Scenarios
Use Active Directory Groups
Some organizations may choose to deploy different FortiClient profiles to different user groups. FortiGate and EMS are able to send different FortiClient profiles based on the AD group of the user. This requires use of the FortiAuthenticator.
No special configuration is required on FortiClient.
Monitor connected users
Administrators can monitor managed FortiClient users. When the client successfully connects FortiClient Telemetry to the FortiGate/EMS, the client can be monitored on the FortiGate/EMS.
In the FortiGate GUI, all connected clients can be observed on the Monitor> FortiClient Monitor page.
Either of the following FortiGate CLI commands will list all connected clients: l diagnose endpoint registration list, or l diagnose endpoint record-list.
In the EMS, connected clients can be observed on the Workgroups page.
Customize FortiClient using XML settings
FortiClient configurations can be customized at the XML level. For more information, see the FortiClient XML Reference.
Appendix A – Deployment Scenarios Customize FortiClient using XML settings
Silent connection
You may want to configure FortiClient to silently connect to FortiGate without any user interaction. When configured, the user will not be prompted to connect to a FortiGate. The <silent_registration> tag is intended to be used with the <disable_unregister> tab. For more information, see Disable disconnect on page 124. The following XML elements can be used to enable this:
<forticlient_configuration>
<endpoint_control>
<silent_registration>1</silent_registration>
</endpoint_control>
</forticlient_configuration>
Locked FortiClient settings
End-users with administrator permission on their Windows system have access to the FortiClientsettings page. If this is not desired, it can be locked with a password from the FortiGate. The following FortiOS CLI command, when included, requires that any client connected to the FortiGate to provide the password before they can access the settings page.
config endpoint-control profile edit “fmgr” config forticlient-winmac-settings … set forticlient-settings-lock disable set forticlient-settings-lock-passwd <password> …
end
…
next
end
Disable disconnect
With silent endpoint control connection enabled, a user could disconnect after FortiClient has connected to the FortiGate. The capability to disconnect can be disabled using the following XML element:
<forticlient_configuration>
<endpoint_control>
<disable_unregister>1</disable_unregister>
</endpoint_control>
</forticlient_configuration>
Put it together
Here is a sample complete FortiClient5.4.1XML configuration file with the capabilities discussed above:
<forticlient_configuration>
<partial_configuration>1</partial_configuration>
<endpoint_control>
<enabled>1</enabled>
<disable_unregister>1</disable_unregister>
<silent_registration>1</silent_registration>
<fortigates>
<fortigate>
124
Customize FortiClient using XML settings Appendix A – Deployment Scenarios
<serial_number />
<name />
<registration_password>un9r3Ak@b!e</registration_password>
<addresses>newyork.example.com</addresses>
</fortigate>
</fortigates>
</endpoint_control>
</forticlient_configuration>
The FortiGate that is connected to is listed in the <fortigates> element. The <registration_ password> element is required if the endpoint control configuration on the FortiOS requires one. This can be exported as an encrypted file from a connected FortiClient.
The configuration provided above is not the full FortiClient configuration file. Thus, the <partial_ configuration> element is set to 1.