FortiClient Endpoint Security System · FortiClient v1.6, v2.0, v2.0 MR1 or v3.0 GA license key can be used with FortiClient Endpoint Security v4.0. Note that reinstalling FortiClient

Release Notes V4.0.2

04-402-97628-20010402

FortiClient Endpoint Security System

Table of Contents

1 FortiClient Endpoint Security v4.0.2 ................................................................................................................ 1 1.1 Language Support.............................................................................................................................................................1 1.2 License..................................................................................................................................................................................1 1.3 System Requirements .....................................................................................................................................................2 1.4 Supported Operating Systems......................................................................................................................................3

2 Special Notices ......................................................................................................................................................... 3 3 Upgrade Information ............................................................................................................................................. 3 3.1 Exporting VPN Policies for Backup Purposes .........................................................................................................4 3.2 Upgrade Instructions.......................................................................................................................................................5 3.3 Importing VPN Policies...................................................................................................................................................5 3.4 Remote/Silent Installations..........................................................................................................................................6

4 Resolved Issues........................................................................................................................................................ 6 5 Known Issues for v4.0.2 ........................................................................................................................................ 8 6 Image Checksums.................................................................................................................................................... 9 7 Appendix A: FortiClient Custom Installations ............................................................................................... 9 7.1 General Guidelines...........................................................................................................................................................9 7.2 How to create a FortiClient custom installation ................................................................................................. 10 7.3 Customizing to Prevent Features from Installing............................................................................................... 11 7.4 Adding a license key ..................................................................................................................................................... 11 7.5 Disabling VPN XAuth password saving .................................................................................................................. 11 7.6 Disabling rating of IP addresses in WebFiltering.............................................................................................. 11 7.7 Enabling Remote Management ................................................................................................................................. 11 7.8 Locking Down the User Interface ............................................................................................................................. 12 7.9 Language transforms.................................................................................................................................................... 12 7.10 Specifying multiple transforms on the command line ................................................................................... 13 7.11 Disabling FortiProxy selftest ................................................................................................................................. 13 7.12 Disabling SMTP Client Comforting ........................................................................................................................ 13 7.13 Download Small AV Signature Database............................................................................................................. 13 7.14 Hide WAN Optimization Customization GUI ...................................................................................................... 13

8 Appendix B: Typical Setup for Centralized Management ........................................................................14 8.1 Communication mechanism between FortiClient and FortiManager.......................................................... 14 8.2 Firewall behavior on FortiClient .............................................................................................................................. 14 8.3 Customize FortiClient installation package.......................................................................................................... 15 8.4 FortiClient partitioning and multiple FortiManager setup............................................................................. 15

Change Log

Date Change Description

25/05/09 Initial Release.

© Copyright 2009 Fortinet Inc. All rights reserved. Release Notes FortiClient™ v4.0.2 (Build 4.0.2.0057) Trademarks Copyright© 2009 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600. Support will be provided to customers who have purchased a valid support contract. All registered customers with valid support contracts may enter their support tickets via the support site: https://support.fortinet.com

Release Notes FortiClient™ v4.0.2

1 May 26, 2009

1 FortiClient Endpoint Security v4.0.2 This document describes the new features of the FortiClient Endpoint Security v4.0.2 software and provides additional information on upgrading, installation, and custom installations using MSI transforms. In FortiClient Endpoint Security v4.0.2, there are also lots of enhancements and bug fixes. FortiClient Endpoint Security v4.0.2 is also known as v4.0.2.0057. The officially supported FortiManager is v4.0. There are two different kinds of installer files. One is for 32-bit Windows. The other one is for 64-bit Windows and has a trailing _x64 in the file name. You _CANNOT_ install 32-bit FortiClient on 64-bit Windows, and vice versa. Notes: To enable centralized management in FortiClient Endpoint Security v4.0.2, a custom installation must be applied. Please refer to Appendix A for details. For typical setup of centralized FortiClient management in different network environments, please refer to Appendix B for details.

1.1 Language Support FortiClient Endpoint Security v4.0.2 is localized for English, Chinese (Simplified and Traditional), Japanese (GUI only), Korean (GUI only), Slovak (GUI only) and French (GUI only). FortiClient Endpoint Security v4.0.2 is tested on English, French, German, Spanish, Italian, Russian, Brazilian Portuguese, Japanese, Korean and Chinese (Simplified and Traditional) OS versions.

1.2 License FortiClient Endpoint Security v4.0.2 includes 90 days of free Anti-Virus (AV) updates, Web-Filtering and Anti-Spam support starting from installation. A license key is required to take FortiClient out of evaluation mode. The license key format has not changed. A valid FortiClient v1.6, v2.0, v2.0 MR1 or v3.0 GA license key can be used with FortiClient Endpoint Security v4.0. Note that reinstalling FortiClient Endpoint Security v4.0.2 will NOT give you another 90 days of free AV updates or Web-Filtering functionality or Anti-Spam functionality. If no license key is entered, the following features are enabled:

• Personal firewall • IPSec VPN • 90-days of free AV updates • 90-days of free Web-Filtering functionality • 90-days of free Anti-Spam functionality

Access to ongoing AV updates, Web-Filtering and Anti-Spam is controlled by the FortiGuard servers and requires purchasing a FortiGuard service subscription.


2 May 26, 2009

Contact your local Fortinet sales engineer or https://shop.fortinet.com or visit http://www.fortinet.com/products/forticlient.html to buy or renew a license key.

1.2.1 License Key and Serial Number As of FortiClient v2.0/3.0, the FortiClient license serial number is displayed on the General > Status tab after the license key is entered. This allows users to easily provide their license serial number when communicating with the Fortinet Support teams. As of FortiClient v3.0/4.0, the FortiClient license expiry date is displayed on the General > Status tab. This reminds users to renew the contract for the license key before it expires. If the license has expired, FortiClient will not be able to get the FortiGuard service updates, including AV, Web-filtering and Anti-Spam. Contact your local Fortinet sales engineer or https://shop.fortinet.com or visit http://www.fortinet.com/products/forticlient.html to buy or renew a license key. All registered customers with valid license serial number, may enter their support tickets via the support site: https://support.fortinet.com.

1.2.2 UID As of FortiClient v2.0/3.0/4.0, a FortiGuard Unique Identifier (UID) is displayed on the Maintenance > Update tab. The UID is unique for each PC and customer. It is used to troubleshoot problems with the installed FortiClient and its FortiGuard subscription services.

1.3 System Requirements FortiClient Endpoint Security v4.0.2 has the following system requirements:

• PC-compatible computer with Pentium processor or equivalent • Compatible operating systems and minimum RAM:

• Microsoft Windows 2000TM : 128 MB • Microsoft Windows XPTM 32-bit: 256 MB • Microsoft Windows XPTM 64-bit : 256 MB • Microsoft Windows ServerTM 2003 32-bit: 384 MB • Microsoft Windows ServerTM 2003 64-bit : 384MB • Microsoft Windows Server 2008 32-bit : 512 MB • Microsoft Windows Server 2008 64-bit : 512 MB • Microsoft Windows VistaTM 32-bit: 512 MB • Microsoft Windows VistaTM 64-bit: 512 MB • 100 MB free hard disk space

• Native Microsoft TCP/IP communications protocol • Native Microsoft PPP dialer for dial-up connections • Ethernet for network connections • Microsoft Internet ExplorerTM 5.0 or later • Adobe AcrobatTM Reader 5.0 or later for user manual • MSI installer 3.0 or later


3 May 26, 2009

1.4 Supported Operating Systems FortiClient Endpoint Security v4.0.2 supports the following operating systems:

• Microsoft Windows 2000 Professional • Microsoft Windows XP including SP2 and SP3 (both 32-bit and 64-bit) • Microsoft Windows Server 2003 including SP1 and SP2 (both 32-bit and 64-bit) • Microsoft Windows Server 2003 R2 including SP2 (both 32-bit and 64-bit) • Microsoft Windows Server 2008 including SP2 (both 32-bit and 64-bit ) • Microsoft Windows Vista including SP1 and SP2 (both 32-bit and 64-bit)

2 Special Notices

3 Upgrade Information The FortiClient installation package is available in 2 different formats: an executable installation file and a zipped MSI installation file. For details on creating custom installations using MSI transforms, see Appendix A. FortiClient Endpoint Security v4.0.2 includes an improved upgrade process. FortiClient Endpoint Security v4.0.2 will automatically upgrade previous FortiClient versions. The upgrade process will also delete any incompatible AV signature files as part of the automatic uninstall. The user can choose to keep any existing configuration data. This change in the upgrade process means that it is no longer necessary to manually uninstall old versions of FortiClient before installing v4.0.2. If you have installed v2.0 or v2.0MR1 with only the VPN component, the v4.0 installer will add the new Anti-Spam feature. If you do not want this, you can make a custom installer. See Appendix A for details. If you encounter problems during upgrading, the workaround is to manually uninstall the previous versions of FortiClient before installing v4.0. If you are upgrading from v1.6 or previous versions, do a complete uninstall before a fresh install of v4.0. If you want to keep your current configuration information, you may need to reconfigure the firewall application list immediately after upgrading (if you had been using the personal firewall component). The default policy setting for handling other inbound traffic from the public zone changed from DROP, in v1.2 GA and MR2, to ALLOW in v1.2 MR2 or later. You should review the firewall policies after the upgrade. This is not an issue for new installations or clean upgrades where the configuration information was deleted during the uninstall. The FortiClient v4.0 configuration wizard offers you the choice to perform a basic or advanced setup. If you choose the basic setup option, the wizard will prompt you for the update server settings. If you choose the advanced setup option, the wizard will prompt you for trusted and public zone Internet addresses, the proxy server settings and update server settings. All other


4 May 26, 2009

configuration options are set to default by the wizard and can be modified once the installation is complete. Note:

(1) The personal firewall is enabled and the security level set to Normal by default. After installation, you may need to configure the firewall applications and network settings to allow your normal traffic patterns to resume with the firewall enabled. If you are installing on Windows XP, FortiClient will disable the XP firewall as part of the installation.

(2) If a FortiClient v2.0 MR1 (build 2.0.148) or previous version has been installed on Windows 2003 Server, you MUST uninstall that version first before installing FortiClient v4.0.

(3) If any interim build of FortiClient has been installed on your PC, it is recommended to uninstall that version first before installing FortiClient v4.0.

(4) For deployments managed using FortiManager, please note that in FortiManager v4.0 and FortiClient v4.0, firewall configuration has been changed and is not backwards compatible with previous software releases. FortiManager v3.0 MR7 and earlier may still be used to manage FortiClient v4.0 with the exception of firewall configuration and new features. However, we recommend first upgrading to FortiManager v4.0 and then deploying FortiClient v4.0 to all managed endpoints.

(5) From FortiClient Endpoint Security v4.0, AntiLeak feature will not be available in installer. In this case, clean install FortiClient v4.0 will not have AntiLeak component. However, upgrade from previous version which has AntiLeak component to FortiClient v4.0, FortiClient will keep and update it.

3.1 Exporting VPN Policies for Backup Purposes FortiClient VPN policies can be exported for backup purposes or to transfer to another computer. To export a FortiClient v1.0 VPN configuration:

1. On the Windows Start menu, select Run. 2. Type "regedit" and press enter. 3. In the Registry Editor, open the Registry key:

KEY_LOCAL_MACHINE\\SOFTWARE\\Fortinet\\FortiClient\\IPSec 4. On the Registry menu, select File -> Export. 5. Save the Registry file.

To export a FortiClient v1.2 or later VPN configuration:

1. On the FortiClient VPN Connections tab, select Advanced -> Export. 2. Save the .vpl file.


5 May 26, 2009

3.2 Upgrade Instructions The FortiClient v4.0 installer allows you to choose which FortiClient components to install. You can choose from the VPN, AV, Firewall, Web-Filtering and Anti-Spam components. The management console, update and log components are always installed and are not displayed as selectable components. To upgrade FortiClient v1.0 to v4.0.2:

1. Backup the VPN policies (optional). 2. Manually uninstall FortiClient v1.0. 3. Copy the FortiClient v4.0.2 software to your computer. 4. Run the FortiClient self-extracting install file.

To upgrade FortiClient v1.2, v1.6 v2.0, v3.0 or v4.0.0/v4.0.1 to v4.0.2:

1. Backup the VPN policies (optional). 2. Copy the FortiClient v4.0.2 software to your computer. 3. Run the FortiClient self-extracting install file.

Note: If you choose to use the MSI package for upgrade, please use the following command line. By default, launching the MSI file from Windows Explorer directly will tell Microsoft Installer to install the software fresh. It will fail if you already have an old version installed. msiexec /i c:\FortiClient.msi REINSTALL=ALL REINSTALLMODE=vomus

3.3 Importing VPN Policies To import a FortiClient v1.0 VPN configuration to FortiClient v4.0.2:

1. Copy the Registry backup file you created in Section 2.1 to the computer with the FortiClient v4.0.2 software installed.

2. Double click on the Registry backup file. 3. Restart the FortiClient Endpoint Security software.

To import a FortiClient v1.2, 1.6, v2.0, v3.0 or v4.0.0/v4.0.1 VPN configuration to v4.0.2:

1. Copy the .vpl file you created in Section 2.1 to the computer with the FortiClient v4.0.2 software installed.

2. In the FortiClient VPN Connections tab, select Advanced -> Import. 3. Select the .vpl file. 4. Select Open to import the configuration.


6 May 26, 2009

3.4 Remote/Silent Installations

3.4.1 Active Directory FortiClient v1.2 MR2 or later supports group policy installation via a Microsoft Active Directory Server domain controller. The following is a general description of how to deploy the FortiClient software to remote computers using Active Directory. For complete details, refer to the Active Directory manuals or online help. To complete this procedure, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

1. Unzip the FortiClient MSI installation file to a shared folder. 2. Open the Group Policy Object Editor. 3. Select Computer Configuration. 4. Select Software Settings. 5. Right-click Software Installation, selects New, and then selects Package. 6. Select the FortiClient MSI installation file and select Open. 7. In Deploy Software, select Assigned.

3.4.2 FortiManager FortiClient v4.0 GA or later supports software upgrades from FortiManager unit which has FortiManager v4.0 GA or later installed. When you have downloaded FortiClient software upgrades to the FortiManager unit, you can then deploy them to FortiClient PCs. The following is a general description of how to do that. For complete details, refer to the FortiManager System Administration Guide v4.0 GA.

1. In the FortiClient Manager, select Manage > Software Upgrade from the main menu. 2. Select the Deploy icon for the software upgrade that you want to deploy. 3. Select whether to deploy the software to groups or to individual FortiClient PCs.

The options are: • Selected group(s) • Selected group(s) and child group(s) • Selected FortiClient PC(s)

4. Enable Select All or select the particular groups or PCs to receive the software upgrade. 5. Select Apply.

4 Resolved Issues Description: Crash issue when validating license Bug ID: 95973 Status: Fixed in v4.0.2.0057 Description: Fcrepackager: manual tunnels are not repackaged Bug ID: 95825


7 May 26, 2009

Status: Fixed in v4.0.2.0057

Description: Installer: Webfilter and Antispam should be disabled by default Bug ID: 96767 Status: Fixed in v4.0.2.0057 Description: FortiProxy: Increase HTTPS session timeout Bug ID: 95670 Status: Fixed in v4.0.2.0057 Description: Fix random Endpoint Compliance check failure after session timeout Bug ID: 93278 Status: Fixed in v4.0.2.0057 Description: FW: Remove firewall warning about vpcd Bug ID: 95528 Status: Fixed in v4.0.2.0057 Description: FortiClient on Vista fails to scan removable media on insertion. Bug ID: 95415 Status: Fixed in v4.0.2.0057 Description: UI: Fixes for VPN import/export when locked down Bug ID: 95414 Status: Fixed in v4.0.2.0057 Description: Allow FQDN for proxy server Bug ID: 93187 Status: Fixed in v4.0.2.0057

Description: Use native 64-bit shell function for folder browsing on 64-bit Windows Bug ID: 82165 Status: Fixed in v4.0.2.0057 Description: Upgrade should preserve value of disable_reorder_vnic value Bug ID: 76629 Status: Fixed in v4.0.2.0057 Description: FW: Unable to logon to desktop on Win2003 Server 64-bit Bug ID: 95193 Status: Fixed in v4.0.2.0057 Description: Support DHCP addresses ended with .255 Bug ID: 94732 Status: Fixed in v4.0.2.0057 Description: Fixed av_task stack overflow vulneratiblity Bug ID: 94978 Status: Fixed in v4.0.2.0057 Description: Fixed excessive GUI flickering when FortiClient starts up Bug ID: 94823 Status: Fixed in v4.0.2.0057

Description: Installer: Do no delete the disableselftest value on upgrade Bug ID: 94506 Status: Fixed in v4.0.2.0057


8 May 26, 2009

Description: Central management: FW protocol resync message uses wrong field name Bug ID: 73077, 89517 Status: Fixed in v4.0.2.0057

5 Known Issues for v4.0.2 Description: Cannot uninstall FortiClient by using “Change” => “Remove” from the control panel. Affected Platforms: Windows Vista Bug ID: N/A Status: Will be fixed in v4.1 Workaround: Use the “Uninstall” button directly. Description: Anti-Spam does not work in Windows Mail, but it does work in Outlook. Affected Platforms: Windows Vista Bug ID: N/A Status: N/A Workaround: None

Description: Upgrading FortiClient from an old release with the MSI installer package may fail. Affected Platforms: Windows Vista Bug ID: N/A Status: Will be fixed in v4.1 Workaround: To avoid upgrade failure, please launch a Command Window with Administrator privilege and run the MSI installer in that window.

Description: One time password OTP Token with Automatic VPN configuration is not supported for the time being. Affected Platforms: All Windows versions Bug ID: N/A Status: N/A Workaround: None.

Description: Anti-Spam does not support Windows Mail on 64-bit Vista. Affected Platforms: Vista 64-bit. Bug ID: N/A Status: N/A Workaround: None.

Description: Anti-Spam does not support Windows Mail on 64-bit Vista. Affected Platforms: Vista 64-bit. Bug ID: N/A Status: N/A Workaround: None.

Description: There could be software conflicts if FortiClient is installed with other security software. Affected Platforms: All Windows versions. Bug ID: N/A Status: N/A Workaround: Remove other security software completely before installing FortiClient.

Description: Some English strings still show on the GUI on localized versions. Affected Platforms: All Windows versions. Bug ID: N/A Status: Will be fixed in later release


9 May 26, 2009

Workaround:

Description: FortiClient cannot be installed unless your Windows Installer is upgraded to version 3.0 or later. Affected Platforms: Windows 2000, Windows XP. Bug ID: N/A Status: N/A Workaround: Update Windows installer to 3.0 through Windows Update or download from Microsoft web site.

Description: When FortiClient is deployed by a Windows domain server using a group policy, the Windows Firewall blocks communication through the FortiClient FortiProxy component. Affected Platforms: Windows XP SP3 and later. Bug ID: N/A Status: N/A Workaround: Disabling the windows Firewall on the affected PC(s) or adding FortiProxy.exe to the firewall exception list on the domain controller will help to solve the issue.

Description: Installation maybe fails on Vista if Windows update is running at the same time. Affected Platforms: Vista. Bug ID: N/A Status: N/A Workaround: Reboot Windows after the update and install FortiClient again.

6 Image Checksums • f03d4d1192aa419f7000ea535b8ad623 *FortiClientRebrandingTool_4.0.2.0057.zip • da217a7049d3124e4c3bdd3606a5ca62 *FortiClientSetup_4.0.2.0057.exe • 2c27c1f66936b4363ae81e232326248c *FortiClientSetup_4.0.2.0057.zip • 9e77bfb7e33f8cda952119f339133c43 *FortiClientSetup_4.0.2.0057_FG.exe • 9a734eab1fcb6bb57110c61f420d387d *FortiClientSetup_4.0.2.0057_FG.zip • 7c2570585567119b2f5e9054239bd749 *FortiClientSetup_4.0.2.0057_x64.exe • 109648ebc9b964a52936116f8f31fff3 *FortiClientSetup_4.0.2.0057_x64.zip • ba1cf437082dd2f3d7fbbbd3405e1597 *FortiClientSetup_4.0.2.0057_x64_FG.exe • 46a3d1015a37027521a934d4affed303 *FortiClientSetup_4.0.2.0057_x64_FG.zip • d41d8cd98f00b204e9800998ecf8427e *FortiClientV4Md5_build0057.sum • f5ba28cc030c588d209f403dfea6587d *FortiClientVPN_4.0.2.0057.zip • 3d00d3b3c18d78cd9b9c3c93fc04157a *Readme_1st.txt

7 Appendix A: FortiClient Custom Installations

7.1 General Guidelines FortiClient v1.6 or later versions use Microsoft Installer (MSI) technology. An MSI editor can be used to create a custom FortiClient installation package. The MSI file should not be edited directly. The recommended solution is to create a transform file that contains the configuration changes you need. The transform is applied to the original MSI file at runtime by msiexec. Creating a transform takes a bit more time than editing the MSI file directly, but it will save you time and trouble in the future since it should be possible to apply the same transform to future FortiClient releases. Warning: You MUST follow the editing rules laid out in this section. Ignoring these rules may result in a custom installation that cannot be upgraded or patched by future releases of FortiClient. The following components have been created specifically for modifying FortiClient installations. If possible, you should avoid modifying other components:

• REGISTRY_MST_FWSettings


10 May 26, 2009

• REGISTRY_MST_AVSettings • REGISTRY_MST_VPNSettings • REGISTRY_MST_WEBFILTERSettings • REGISTRY_MST_ANTISPAMSettings

FortiClient sub-features do not support “Advertised” installations. The following rules MUST be followed:

• NEVER delete a feature you do not need. If you don't need a feature, set the install level to 0 • NEVER delete a component you do not need. • NEVER move a component from one feature to another. • NEVER modify the installation UI or installation execution order. • NEVER rename ANY existing component or feature. • NEVER change the component code of ANY existing component. • NEVER change the PRODUCTCODE. • NEVER change the UPGRADECODE. • NEVER add new features to the root of the feature tree. If you really need to add a feature, add it as a

sub-feature of an existing FortiClient feature. However, before you add a feature, question why you are adding a feature and what you are trying to accomplish.

7.2 How to create a FortiClient custom installation You will need an MSI editor and the original FortiClient MSI installation file. These instructions assume that you know how to use an MSI editor, how to use the command line msiexec commands, and how to roll out an MSI based installation to your network. Note: When you perform a silent or reduced UI installation, the MSI automatically disables the FortiClient Wizard from executing after rebooting the PC. You do not need to edit the MSI to disable the wizard. To create and test a custom FortiClient installation:

1. Make a copy of the FortiClient.msi file and rename the copy (i.e. “target.msi”). 2. Open “target.msi” with an MSI editor and add your modifications to it. 3. Save the changes you made to the “target.msi” file and close the file. 4. With your MSI editor, make a transform file (*.mst)

• The base package must be “FortiClient.msi” • The target package must be “target.msi” • Give the mst file a suitable name. We suggest you include the version of FortiClient that was used

to create the transform. i.e. “custom_3.0.128.mst”

5. Test the installation by installing the baseline package with the transform onto a single PC. Use the following command:

msiexec /i <path to package>FortiClient.msi TRANSFORMS=custom_3.0.128.mst /L*v c:\log.txt

• Substitute “<path to package>” with the path to your package (if it's not in the current dir) • There are no spaces in “TRANSFORMS=custom_3.0.128.mst” • There is a space between “TRANSFORMS=custom_3.0.128.mst” and “/L*v c:\log.txt” • If there are any errors during installation, the log file is an invaluable source of information.

6. Test FortiClient to make sure the modifications you made are present and correct. If there are any mistakes,

use your editor to make changes to the mst file. Some editors allow you to load and edit the mst file directly.

7. Test uninstalling the FortiClient software. It is critical that you do this before you roll out FortiClient to your network. Uninstall must be completed without an error or rollback occurring.

8. Roll out your custom FortiClient installation specifying the transform file.


11 May 26, 2009

7.3 Customizing to Prevent Features from Installing To prevent features from installing, you should create a transform which sets the Install Level of the feature to 0 (zero).

7.4 Adding a license key The MSI property ISX_LICENSE can be set to your license key. You can create and set this property in the property table, or you can specify it on the command line:

msiexec /i FortiClient.msi ISX_LICENSE=1234567890abc Note that the installation will NOT abort if an invalid license is specified.

7.5 Disabling VPN XAuth password saving The ability for a user to “save” the VPN XAuth password can now be disabled through a registry setting in a custom installation. To disable this feature:

1. Create a new, or edit an existing, MSI transform file. 2. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_IKE registry key. 3. Add the value DontRememberPassword as DWORD under the key. 4. Set the value of DontRememberPassword to 1.

7.6 Disabling rating of IP addresses in Web-Filtering To disable the rating for IP addresses in Web-Filtering component, a registry key can be used for a custom installation.

1. Create a new, or edit an existing, MSI transform file. 2. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_WEBFILTER registry key. 3. Add the value DontRateIP as DWORD under the key. 4. Set the value of DontRateIP to 1.

7.7 Enabling Remote Management To enable remote management you must create a transform that changes the values of specific properties within the installer.

1. Create a new, or edit an existing, MSI transform file. 2. Open the Property table and change the value of FMGRENABLED from 0 to 1. 3. Change the property FMGRTRUSTEDIPS so that it specifies the IP address (es) of FortiManager(s) that

FortiClient will accept commands from. The addresses can be specified as individual IP addresses, IP address ranges, or sub nets. You can specify a mixed list of addresses, ranges and subnets by separating each value with a comma.

Examples: Property Name Property Value Meaning FMGRTRUSTEDIPS 172.16.90.83 (trust a single IP only) FMGRTRUSTEDIPS 172.18.2.0/255.255.255.0 (trust a subnet) FMGRTRUSTEDIPS 172.16.3.1-172.16.3.50 (trust an IP range)


12 May 26, 2009

FMGRTRUSTEDIPS 172.16.90.83, (all the above) 172.18.2.0/255.255.255.0, 172.16.3.1-172.16.3.50

• Optional: You can specify the IP address of your FortiManager at installation time by setting the value of the property FMGRIP to the IP address of your FortiManager. This value MUST also be added to the FMGRTRUSTEDIPS value.

• Optional: You can specify the behavior of the firewall after FortiClient is under management of FortiClient Manager. By default, FortiClient firewall will block all applications from accessing network until there are matching rules for them. It may not be applicable for loosely managed network. By setting FMGRFWBEHAVIOR property to 1, FortiClient's firewall will behave as normal even under FortiClient Manager's control. Network administrators can create rules to deny certain applications from accessing network.

You can optionally enable a protocol that enables FortiClient to independently seek out a FortiManager once it is installed. To enable this you must create a transform that changes the values of specific properties within the installer.

1. Create a new, or edit an existing, MSI transform file. 2. Open the Property table and change the value of FMGRENABLED from 0 to 1. 3. Change the property FMGRTRUSTEDIPS so that it specifies the IP address (es) of FortiManager(s) that

FortiClient will accept commands from. The addresses can be specified as individual IP addresses, IP address ranges, or sub nets. You can specify a mixed list of addresses, ranges and subnets by separating each value with a comma.

4. Change the property FMGRENABLEDISCOVER so that it's value is 1. 5. Optional: You can change the frequency of the search by changing the default values of the property named

FMGRDISCOVERINTERVAL. The value is expressed in milliseconds. The default is 30 (i.e. 30 seconds). It is unlikely that you should need to change this.

6. Optional: You can change the number of times that FortiClient will search for a FortiManager by changing the default values of the property named FMGRDISCOVERATTEMPTS. The default is 0, which means never stop trying. It is unlikely that you should need to change this.

7.8 Locking Down the User Interface Although the user interface is locked down to users who have limited accounts, users in the administrators group can change FortiClient settings. The FortiClient UI presented to administrators can be locked down too. If you have enabled Remote Management by following the section above, you can lock down FortiClient's UI using FortiManager. See your FortiManager guide for instructions on how to do this. Alternatively you can force locking down for all users, including administrators, by creating a property in the MSI's Property table.

• Create a new, or edit an existing, MSI transform file. • Open the Property table and create a property called ADMINPWD. Set its value to the MD5 of a pass

phrase of your choice.

7.9 Language transforms The MST files that ship with the baseline FortiClient package are the English, Japanese, Simplified Chinese, Traditional Chinese, Czech, French, Korean and Slovak language transforms for the installers user interface:

• 1033.mst = US English • 1041.mst = Japanese • 2052.mst = Simplified Chinese • 1028.mst = Traditional Chinese • 1029.mst = Czech


13 May 26, 2009

• 1036.mst = French • 1042.mst = Korean • 1051.mst = Slovak

7.10 Specifying multiple transforms on the command line Multiple transforms can be specified on the command line. Separate each transform with a semicolon:

msiexec /i <path to package>FortiClient.msi TRANSFORMS=custom.mst; 2052.mst

7.11 Disabling FortiProxy self-test FortiProxy self-test generates traffic to IP address 1.1.1.1. Usually the traffic won’t leave the PC because FortiClient’s driver will drop all those traffic. To disable self-test, please follow these steps:

1. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_FORTIPROXY registry key. 2. Add the value disableselftest as DWORD under the key. 3. Set the value of disableselftest to 1.

7.12 Disabling SMTP Client Comforting SMTP Client Comforting is introduced in FortiClient 3.0 MR7 patch-3 (3.0.606). It can prevent email clients from timing out when sending emails with large attachments. As long as an email client is RFC compliant and supports multi-line server response, it should be compatible. If email client stops at about 10 seconds for all large emails and email server fails to receive, you can try to disable SMTP client comforting by following these steps:

1. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_FORTIPROXY registry key. 2. Add the value DisableSMTPCc as DWORD under the key. 3. Set the value of DisableSMTPCc to 1.

7.13 Download Small AV Signature Database From FortiClient Endpoint Security v4.0.2, for trial user, FortiClient will download small AV signature database. Licensed users can also choose to use the small AV signature database by following the instructions.

1. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_AV registry key. 2. Add or edit the value UseSmallDb as DWORD under the key. 3. Set the value of UseSmallDb to 1 to download small AV signature database. 4. For reverting to the original full database, simply remove this registry value.

7.14 Hide WAN Optimization Customization GUI To hide Wan Optimization in 4.0.1, the user will need to create a custom installation. In 4.0 Patch 1, users have to do it manually with a MSI editor. To create an installer where Wan Optimization is hidden, the user should do the following:

1. Open FortiClient.msi using an MSI editor, such as Orca. 2. Open the registry table. 3. Create a new record with the following values:

Registry : <random name> Root : 2 Key : SOFTWARE\Fortinet\FortiClient\FA_WANACC Name : Installed


14 May 26, 2009

Value : #0 Component_ : FortiWad.exe Note - The value of "Registry" is the key field of this record. It should be randomized to reduce the chances of a collision in the future (collisions prevent upgrades from working).

4. Save the msi file. 5. Install the msi file. 6. The wan optimization tab will be absent.

8 Appendix B: Typical Setup for Centralized Management

8.1 Communication mechanism between FortiClient and FortiManager FortiClient Manager uses TCP port 6020 and UDP port 6023 to accept client connections. If there are firewalls/routers/switches between FortiClient Manager and FortiClient, these two ports must have matching policies to accept incoming traffic from the client side. Without exposing these two ports, clients will fail to log on to FortiClient Manager. If the firewalls protecting the clients have policies for outgoing traffic, they must allow UDP traffic from source port 6022 to the FortiManager device port 6023. Also, TCP traffic from the client to FortiManager device port 6020 must be allowed. The TCP traffic between FortiClient and FortiManager is SSL encrypted. The UDP traffic is not strongly encrypted, as it is used only for conveying notifications and keep-alive messages. When a client starts up, it first tries to send a registration message to FortiManager. If it succeeds, it will try to log on to that FortiManager. After successfully logging on, the FortiClient sends keep-alive UDP traffic every 60 seconds to indicate that it is active and to check that the FortiManager unit is available. Whenever FortiManager has information for FortiClient PCs, such as AV updates, policy installation, etc, it sends notification messages to the IP and port used by last keep-alive UDP packet from that client. Both FortiClient and FortiClient Manager are fully NAT-aware. They can communicate even if there are NAT devices between them. Usually, notification messages are delivered to the client instantly. If the NAT session is closed by one or more NAT device(s), FortiManager will try to send the notification messages the next time it receives a keep-alive packet from the client.

8.2 Firewall behavior on FortiClient Please note the firewall behavior mentioned in Appendix A. For a loosely managed network, administrators may not want all clients to block network access attempts without matching firewall rules. They can set the firewall behavior to 1, so the client firewall will behave as normal. Administrators can setup deny policies for certain high risk applications, such as P2P clients (eDonkey, BitTorrent, etc). On the contrary, for a network which has high security requirements, such as the finance department inside a business, administrators may allow only known good applications to have network access. In this case, they can set the firewall behavior to 0 (FMGRFWBEHAVIOR). So clients will refuse any applications without matching policies to access network resources. This will greatly reduce the risk of leaking important information. For example, some hacker programs may try to steal customer information and transfer it over the Internet. But with FortiClient's default firewall policy under FortiClient Manager's control, these programs won't be able to connect to the Internet at all. This kind of network access attempt raises firewall alerts to the FortiClient Manager. Administrators can create new policies based on these alerts. Please refer to FortiClient Manager for details.


15 May 26, 2009

Notes: Fully test the customized installation package before you roll it out to clients. If firewall behavior is set to 0, administrators need to create all necessary policies on FortiClient Manager first. Otherwise, when clients are rolled out to all PCs, users may not be able to check email, connect to the Internet, etc.

8.3 Customize FortiClient installation package Please refer to Appendix A for all the parameters for the remote management. The most basic parameters which need to be set are: FMGRENABLED, FMGRTRUSTEDIPS, FMGRFWBEHAVIOR and FMGRIP. FMGRENABLED must be set to 1. FMGRTRUSTEDIPS must be set to include the FortiClient Manager's public IP which clients can connect to (Please refer Appendix A for details on the format). FMGRFWBEHAVIOR can be set to 1 (default value) for a loosely managed network or set to 0 if appropriate. For FMGRIP, if the FortiManager's public IP is already set in the FMGRTRUSTEDIPS field in single IP format, this field can be skipped. If FortiManager's public IP is not present in FMGRTRUSTEDIPS or not in single IP format (either in IP range or in subnet/mask format), FMGRIP must be set. For detailed information about how to use FortiClient Manager, please refer to FortiClient Manager related documents. To verify the correctness of parameters, users can use the command line options to install FortiClient with the MSI package. After everything is verified, users can put the parameters permanently into a custom package. Here is a sample for the command line installation. msiexec /i C:\FortiClient\build229\FortiClient.msi FMGRENABLED=1 FMGRTRUSTEDIPS=172.16.100.122,172.16.100.123 FMGRFWBEHAVIOR=1

8.4 FortiClient partitioning and multiple FortiManager setup As FortiManager has an upper limit on the number of clients it can manage, network administrators must partition clients and use multiple FortiManager units. In some scenarios, even if one FortiManager unit is capable of managing all available clients, users like to use two or more FortiManager units for redundancy to reduce downtime. Clients belonging to different partitions must use different FMGTRUSTEDIP parameters. For example, if there are two FortiManager devices, one is in IP 172.16.100.10 and the other one in 172.16.100.20. The first group of clients should set FMGTRUSTEDIP to 172.16.100.10 and the other group to 172.16.100.20. For redundancy, each group of clients can be installed with both FortiManager unit IP addresses. But the order of the IP addresses is very important. The backup FortiManager address must be the second one in the list. For example, the first group should set up FMGTRUSTEDIP as 172.16.100.10, 172.16.100.20. The second group should use the reversed order. With more FortiManager devices, the topology becomes more complicated. But the rule of the thumb is simple, the FMGRTRUSTEDIPS parameter must have the primary FortiManager device as its first IP.

(End of Release Notes.)

Documents

FortiClient Endpoint Security System · FortiClient v1.6, v2.0, v2.0 MR1 or v3.0 GA license key can be used with FortiClient Endpoint Security v4.0. Note that reinstalling FortiClient