1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Software
  5. FortiGate Voice 4.0 MR1
  6. Administration manual

Fortinet Version 4.0 MR1 Administration Manual

Forticlient endpoint security
Hide thumbs Also See for Version 4.0 MR1:
Table of Contents

Advertisement

Quick Links

FortiClient Endpoint
Security
Version 4.0 MR1
Administration Guide

Advertisement

Table of Contents
loading

Related Manuals for Fortinet Version 4.0 MR1

Summary of Contents for Fortinet Version 4.0 MR1

  • Page 1 FortiClient Endpoint Security ™ Version 4.0 MR1 Administration Guide...
  • Page 2 FortiClient Endpoint Security Administration Guide Version 4.0 MR1 31 August 2009 04-40001-99556-20090626 © Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

  • Page 3: Table Of Contents

    Creating a FortiClient custom installation ..............15 Suppressing Features....................15 Sample command lines .................... 15 Specifying install log file.................... 16 Language transforms....................16 Specifying multiple transforms on the command line ..........16 FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 4 Monitoring Endpoints ....................37 Creating FortiClient VPNs ..............39 Overview ........................39 Configuring VPN connections using FortiClient............39 Configuring VPN connections on FortiGate units ............. 39 About split tunneling ....................40 FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 5 Reading a security policy..................54 Monitoring policy compliance..................54 Making the FortiClient application comply with the policy......... 55 API reference ......................... 56 Appendix A: Installer Public Properties..........57 Index ................. 61 FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 6 Contents FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 7: Introduction

    • Microsoft Windows 7: 512 MB • a compatible email application for the AntiSpam feature: • Microsoft Outlook 2000 or later • Microsoft Outlook Express 2000 or later FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 8: Supported Fortigate Models And Fortios Versions

    Configuring VPNs without FortiClient Endpoint Security describes how to configure FortiClient VPN, a light VPN client that you can distribute to users who do not have FortiClient Endpoint Security. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 9: Documentation

    Please visit the Fortinet Technical Support web Site at http://support.fortinet.com to learn about the technical support services that Fortinet provides. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 10 Customer service and technical support Introduction FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 11: Installation

    FortiClient Endpoint Security User Guide. You can preconfigure all application settings, including the configuration for centralized management by a FortiManager system. For more information, see “Custom Installer Packages” on page FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 12: Installation Notes

    User can install the standard FortiClient application through such methods such as downloading it from the FortiClient Web site or using a CD. For more information on installing FortiClient, see the FortiClient User Guide QuickStart Guide. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 13: Multiple-User Installation

    You can use the FortiGate’s Web Config to manage the version of FortiClient (endpoint control) running on multiple computers. See “Enforcing use of FortiClient software” on page 29 for more information. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 14 Standard FortiClient Installation Installation FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 15: Custom Installer Packages

    Optionally, you write the current installation settings into a FortiClient.msi file, so that end- users do not need to use the command line to incorporate MST files. To create a custom msi file, see “Creating the custom MSI installation file” on page FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 16: Creating The Mst File With No Command Line Parameters

    The FortiClient application wizard starts. Follow the wizard to install the features you require. Reboot the computer if the installer requests it. When the computer restarts, the FortiClient installation wizard continues. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 17: Performing Additional Customizations

    URL. To disable rating of IP addresses 1 Using regedit or regedt32, edit the following key: HKEY_LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_WEBFILTER\ 2 Add the value DontRateIP as a DWORD under the key. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 18: Creating The Custom Msi Installation File

    Shrink the .msi file by removing files for unused features. Valid only when used with -m option. Refer to the FCRepackager_Readme.txt file for more information about command line options. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 19: Customizing The Forticlient Application For Enterprise Licensing

    To modify the new FortiClient .msi installer with your saved customizations, use the following command: FCRepackager -t FortiClient.mst -m FortiClient.msi If the files are not in the current directory, you need to specify the path to them. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 20: Customizing The Installer Using An Msi Editor

    FortiClient feature. However, before you add a feature, question why you are adding a feature and what you are trying to accomplish. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 21: Creating A Forticlient Custom Installation

    To suppress FortiClient features from installing, create a transform which sets the Install Level of the feature to 0 (zero). Sample command lines • Install FortiClient msiexec /i <folder of FortiClient.msi>\FortiClient.msi FMGRENABLED=1 FMGRTRUSTEDIPS=<FortiClientManager IP> • Upgrade FortiClient FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 22: Specifying Install Log File

    Go to System > Config to edit the replacement messages. See the FortiGate Administration Guide more information on replacement messages. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 23: Active Directory Installation

    FortiManager unit at a specific IP address, or discover FortiManager units on its network. For information about centrally managing FortiClient PCs with FortiManager, see the FortiClient Manager chapter of the FortiManager Administration Guide. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 24: Enabling Remote Management With Fortimanager

    Example command lines for the .exe package For a FortiClient PC centrally managed by a FortiManager unit on IP address 172.16.100.5, the installation command line is: FortiClientSetup /v"FMGRENABLED=1 FMGRIP=172.16.100.5" FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 25 For a FortiClient PC that accepts central management by any FortiManager unit on subnet 172.16.100.0/24, the installation command line is: msiexec /i FortiClient.msi FMGRENABLED=1 FMGRENABLEDISCOVER=1 FMGRTRUSTEDIPS=172.16.100.0/255.255.255.0 Note: You must enter the entire command on a single line. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 26: Advanced Scenarios

    You can use a standard or a customized installation package, but you must select the Custom installation option and make sure that you do not install the VPN feature. Citrix uses the Windows IPsec service, which the FortiClient VPN would disable. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 27: Configuring Antileak For Forticlient

    3 Find the record where the Feature field is Feature_AntiLeak. 4 In that record, change the Display field to 1. 5 Change the InstallLevel field to 1. 6 Save and close the MSI. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 28 Advanced Scenarios Custom Installer Packages FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 29: Forticlient Licensing

    “Creating a customized installer using FCRepackager” on page • If you manage FortiClient computer with a FortiManager unit, you can also manage their licenses. See “To assign a standard fixed license with FortiManager”, next. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 30: Enterprise Licensing

    4 Select Download to register the license. Information about the license displays below the Enterprise License Key field. 5 In the Validation Type section, select Internal Validation. 6 Click Apply. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 31: Creating Enterprise Client License Keys

    Customization chapter. See “Creating a customized installer using FCRepackager” on page 9. Then, install the result of those customizations as your model installation. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 32 Put the installer on a file share. Users simply double-click the file to begin installation. • On a Windows Advanced Server network, install the application on end users’ computers remotely. For more information, see “Active Directory installation” on page FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 33: Corporate Security Policies

    Corporate Security Policies Overview Corporate Security Policies Corporate Security Policies can be set up to enforce the use of certain FortiClient features. This is commonly used to ensure that users of remote VPN connections are in compliance with the established security policies. This chapter contains the following sections: •...

  • Page 34: Configuring A Corporate Security Policy

    Configuring a corporate security policy Corporate Security Policies Configuring a corporate security policy You configure your corporate security policy in the FortiClient Manager module of the FortiManager unit. It is simplest to apply security policies to client groups. If you have already created client groups, you can create security policies for those groups.

  • Page 35: Endpoint Network Access Control

    See “Setting the FortiClient version” on page • Enable endpoint control in the appropriate FortiGate firewall policies. See “Enabling Endpoint Control” on page FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 36: Configuring Fortiguard Services

    FortiClient or update the antivirus definitions. To set the required FortiClient version and the download location 1 In your FortiGate unit’s web-based manager, go to Endpoint NAC > Config and select the FortiClient tab. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 37 • FortiClient Endpoint Security 4.n.n — This is available if the download location is This FortiGate. It shows the version of the software stored on the FortiGate unit. 6 Click OK. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 38: Uploading The Forticlient Installer To Your Fortigate Unit

    Create endpoint control profiles so that you can apply them to firewall policies. This allows the FortiGate unit to monitor which applications are running and installed through FortiClient and enable the enforcement of FortiClient features such as antivirus and firewall. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 39: Creating An Application Detection List

    The application detection list is applied to the Endpoint Control Profile. The list of available categories, vendors, and applications come from the FortiGuard signature database and can be viewed in the Predefined tab. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 40 7 Click OK. 8 Repeat steps 5 and 6 to create the application detection list. Figure 7: Detection list FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 41 Entertainment Adult Software that includes depictions of nudity or sexual activity or other elements that might be objectionable to non-consenting users. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 42: Applying An Endpoint Control Profile To A Firewall Policy

    FortiGate unit. When the FortiGate unit receives an updated list, it compares the list of applications against the Endpoint Profile that is assigned for that user and take the following actions for each application: FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 43: Monitoring Endpoints

    Endpoint Control Profile and a firewall policy, you can view which applications have attempted to pass through the Fortigate unit. To monitor endpoints 1 Go to Endpoint NAC > Monitor. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 44 The status of the endpoint changes to Non-compliant but temporarily exempted 7 If an endpoint has been given an exemption, you can block the endpoint prior to the exemption timeout by clicking Block Endpoint FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 45: Creating Forticlient Vpns

    A policy-based VPN. • A route-based VPN. • SSL VPN. For information on how to set up VPN connections using a FortiGate unit, see the FortiGate Administration Guide. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 46: About Split Tunneling

    You can create an automatic VPN connection or the FortiClient Manager can automatically download a VPN setting from the FortiGate unit to which your FortiClient computer connects. For more information, see the FortiManager System Administration Guide. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 47: Configuring Vpn Connections Using Custom Installations

    <group_name> set status enable <phase2_name> must be the name of the VPN phase 2 configuration. <group_name> must be the name of the user group you created for FortiClient users. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 48 Configuring the FortiGate gateway as a policy server Creating FortiClient VPNs FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 49: Per-User Web Filtering

    FortiClient computer as a managed client • define the web filter profiles you will assign to users • configure LDAP settings to obtain Windows group/user information FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 50: Managing Forticlient Computers

    Start the installer from the command line as follows to enable central management by a FortiManager server. Type the command on a single line. msiexec /i FortiClient.msi FMGRENABLED=1 FMGRTRUSTEDIPS=<IP> FMGRENABLEDISCOVER=1 <IP> is the address of the FortiManager unit FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 51: Defining Web Filter Profiles

    6 Select group(s) (each one has a check box) and then select Assign Profile. For each selected group, the Web Filter Profile column lists the assigned profile. 7 Repeat Step through Step for each web filter profile you want to assign. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 52 8 Click Assign Profile. For each selected user, the Web Filter Profile column lists the assigned profile. 9 Repeat Step through Step for each web filter profile you want to assign. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 53: Configuring Vpns Without Forticlient Endpoint Security

    The FortiClient VPN Editor can configure or import configurations for VPN tunnels, certificates and revocation lists and then save them to one of the FortiClient VPN installer files or to a configuration file. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 54: Importing Vpn Tunnel Settings

    5 For Policy Server, enter the IP address or FQDN of the FortiGate gateway. 6 Select OK. To configure a VPN tunnel - basic configuration 1 In the FortiClient VPN editor, select the Tunnels tab. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...
  • Page 55 You can specify up to 16 remote networks. 4 Select OK. To enable Internet browsing over IPSec In the Advanced Settings window, do the following: 1 In the Remote Network section, select Add. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 56: Configuring Certificates For Forticlient Vpn

    You can also save configurations to a VPN policy file (.vpl) or policy package (.vpz) for distribution to FortiClient Endpoint Security users. The policy package is the preferred format because the file is password protected and it includes any certificates that the tunnel requires. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 57: Using The Forticlient Api

    The COM library for FortiClient is fccomintdll.dll, located in the FortiClient installation directory, by default c:\Program Files\Fortinet\FortiClient. Using your development environment, create a reference to this library. Begin FCCOMINTDLLLibCtl.VPN VPN1 FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 58: Retrieving A List Of Vpn Connection Names

    = "" outSavePassword = False If Not Dialog.Cancelled Then outUserName = Dialog.UserName outPassword = Dialog.Password outSavePassword = Dialog.SavePassword End If VPN1.SendXAuthResponse bstrTunnelName, outUserName, outPassword, outSavePassword End Sub FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 59: Monitoring The Connection

    The FortiClient API can also create a security policy. This section uses example code snippets in Visual Basic to show how to set and monitor a corporate security policy programmatically. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 60: Setting A Security Policy

    The OnOutOfCompliance event returns four boolean values, one for each feature. A value of True indicates that the feature is not in compliance with the policy. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ •...

  • Page 61: Making The Forticlient Application Comply With The Policy

    The FortiClient API includes a method that enables the features required by the security policy, bringing the application back into compliance. In this example, there is a “Make Compliant” button. Private Sub MakeCompliantBtn_Click() VPN1.MakeSystemPolicyCompliant End Sub FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 62: Api Reference

    Arguments correspond to features. Boolean) True indicates the feature is out of compliance with security policy. OnXAuthRequest(bstrTunnelName As String) The VPN peer on the named connection requests XAuth authentication. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 63: Appendix A: Installer Public Properties

    FortiClient Manager if it occurs in the this window. FMGRDISCOVERATT The number of times to try to 0=infinite EMPTS locate FortiClient Manager before giving up. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 64 HIDETRAY [0..1] When set to 0, the tray icon is It is not possible to shutdown hidden from users. FortiClient if the tray icon is hidden. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 65 If this setting is set to 1 and FortiClient is configured to use a custom update server and if that connection fails then FortiClient will attempt to update from FortiProtect Distribution Server. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 66 If set to 1 and if an IP address is browsed to (instead of a FQDN), FortiClient will not request a rating for that IP address from the FortiGuard network. FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...

  • Page 67: Index

    FMGRAVALERTINT FMGRDISCOVERATTEMPTS FMGRDISCOVERINTERVAL FMGRENABLED FMGRENABLEDISCOVER FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 68 NOTRAYFLASH installation options block access unless firewall rule permits disable web filter rating by IP address OPTIMIZE disable XAUTH password saving hide FortiTray permit fallback to public FDS FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 69 FortiClient Manager system requirements web filtering assigning profiles configuring FortiManager for on Citrix server technical support on Windows Terminal server overview remote users Windows network UPDATEFAILOVERPORT WFDONTRATEIP FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 70 Index FortiClient Endpoint Security Version 4.0 MR1 Administration Guide 04-40001-99556-20090626 http://docs.fortinet.com/ • Feedback...
  • Page 71 www.fortinet.com...
  • Page 72 www.fortinet.com...

This manual is also suitable for:

Forticlient endpoint security 4.0 mr1

Table of Contents