- Published on
Deploying and Configuring FortiClient VPN with Intune
- Authors
- Name
- Tom Senior
Overview
I've had this deployment set up for a while now so thought i'd write it down (type it out). Before this deployment was configured end users would manually add the VPN settings into FortiClient, which is ridiculous when you're supporting 100's of end users. So this installs FortiClient VPN only with its MSI and then configures the VPN settings required. It's been really reliable and relatively simple to manage.
What we'll do is setup the FortiClient VPN as a line-of-business application in Intune. Then we'll create a PowerShell script to configure the VPN settings and deploy that with Intune too.
I'll break this into 2 sections, so if you've already got FortiClient deployed and just want to configure a VPN then skip to part 2.
1. Deploying FortiClient VPN Only
Grabbing the MSI
To deploy FortiClient VPN with Intune we first need to get a copy of the MSI file. Of course Fortinet don't offer this download from their website so this is how we get it.
Head to the Fortinet product downloads page and download the FortiClient VPN for Windows. Run the online installer just till the welcome screen/installer opens and that will download the MSI into C:\ProgramData\Applications\Cache\{#INSTALLER_GUID#}\#VERSION_NUMBER#. If you struggle finding the Installer GUID i'd recommend sorting by Date modified, it will be the newest one.
Copy that MSI to a safe place (and cancel the installer), now we can set the application up in Intune.
Adding FortiClient VPN to Intune
Go to the Apps menu in Intune admin center and hit Add. Select the App Type as Line-of-business app under Other. Select the MSI file we just saved.
Now we have a few options to set. So first set the publisher, you could use the actual publisher Fortinet or you could use your company name if that's what you want to show up in Company Portal. Next set the command-line arguments to /quiet /norestart if you want to prevent the GUI and restarts. If you're deploying this to Company portal i would recommend setting a Logo as that's what end users will look at.
Once you've added the information you want, hit Next and add the device assignments that you want to install the application to. Note this will start installing the app to those devices straight away (when i say straight away i mean Intune straight away, it could take a little while)!
Then hit Next and Create and thats it for deploying FortiClient VPN with Intune, lets move on to configuring a VPN.
2. Configuring the VPN settings
To configure the VPN for our end users we are going to write a PowerShell script and deploy it via Intune to the same devices.
The script
All the script below does is check if a registry location exists, if it doesn't it creates the VPN configuration. I've added variables to the top to make editing the script easy.
It worth noting there are other configurations that can be added to these registry settings. If you need to configure other options, i'd recommend setting up a VPN within the FortiClient software and then going to HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\ in the registry to find out which options you need to set.
$vpnName = "Company VPN"
$vpnDescription = "Deafult VPN Configuration."
$vpnServer = "company.example.com:443"
if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)") -ne $true) {
New-Item "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -Name 'Description' -Value $vpnDescription -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -Name 'Server' -Value $vpnServer -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -Name 'promptusername' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -Name 'promptcertificate' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$($vpnName)" -Name 'ServerCert' -Value '1' -PropertyType String -Force -ea SilentlyContinue;
}
So create the script, add in your custom VPN settings and save it somewhere safe. If you don't already i'd recommend self signing the script so it complies with execution policies, but i'm not going into that now, you can read more about signing powershell scripts here.
Deploying the PowerShell script with Intune
Now we'll deploy the script with Intune.
Head to the Intune Admin Center, under Devices hit Scripts and remediations. Hit Platform Scripts at the top and click Add, then Windows 10 or later. Give your new script a name and description and hit Next.
On Script settings select the location of the script we saved earlier. Set Run this script using the logged on credentials to No. If you have self signed your script set enforce script signature check to Yes, otherwise select No. Finally Run the script in 64 bit PowerShell Host i set to Yes.
Hit Next, and assign the script to the same devices that we assigned the FortiClient application.
That's It! We're deploying the FortiClient app with a configured VPN for all our end users.
Thanks for reading. Any questions or feedback - Twitter, LinkedIn or Email