Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Special Notices

Deploying FortiClient upgrade to Windows 7

FortiClient EMS disables TLS 1.0, 1.1 for all incoming SSL connections. On Microsoft Windows 7 (and likely Windows Server 2008 R2) devices, the WinHTTP library FortiClient uses for file downloads does not use TLS 1.0/1.1 by default. When deploying FortiClient from EMS 6.0.1 to Windows 7 endpoints that already have FortiClient 6.0.1 or older installed, the deployment may fail.

This issue only exists when deploying from EMS 6.0.1 to Windows 7 endpoints with FortiClient installed. It does not exist when:

  • Deploying to Windows 8.1 or 10
  • Deploying from EMS 6.0.0 or older
  • The endpoint does not have FortiClient installed

There are various ways to address this issue.

Enabling TLS 1.2 on Windows 7 using registry settings

Follow the discussions in Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows to add a registry setting.

  1. Install the Windows Update Hot Fix:

    Update to enable TLS 1.1 and 1.2 as default secure protocols in WinHTTP (KB3140245)

    note icon

    If regular Windows Update is enabled by default, this KB is already installed.

  2. Create a DWORD registry entry: DefaultSecureProtocols in the path:
    • On systems running x86 architecture:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

    • On systems running x64 architecture

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  3. Set the value to 0x00000A00 to enable both TLS 1.1 and 1.2.

Enabling TLS 1.0 and 1.1 in EMS

EMS 6.0.1 provides an option in System Settings to enable support for TLS 1.0 and 1.1 for file downloads. The EMS administrator may use this option when deploying FortiClient upgrades to Windows 7 endpoints. Once deployment is complete, you can disable the option.

Special Notices

Deploying FortiClient upgrade to Windows 7

FortiClient EMS disables TLS 1.0, 1.1 for all incoming SSL connections. On Microsoft Windows 7 (and likely Windows Server 2008 R2) devices, the WinHTTP library FortiClient uses for file downloads does not use TLS 1.0/1.1 by default. When deploying FortiClient from EMS 6.0.1 to Windows 7 endpoints that already have FortiClient 6.0.1 or older installed, the deployment may fail.

This issue only exists when deploying from EMS 6.0.1 to Windows 7 endpoints with FortiClient installed. It does not exist when:

  • Deploying to Windows 8.1 or 10
  • Deploying from EMS 6.0.0 or older
  • The endpoint does not have FortiClient installed

There are various ways to address this issue.

Enabling TLS 1.2 on Windows 7 using registry settings

Follow the discussions in Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows to add a registry setting.

  1. Install the Windows Update Hot Fix:

    Update to enable TLS 1.1 and 1.2 as default secure protocols in WinHTTP (KB3140245)

    note icon

    If regular Windows Update is enabled by default, this KB is already installed.

  2. Create a DWORD registry entry: DefaultSecureProtocols in the path:
    • On systems running x86 architecture:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

    • On systems running x64 architecture

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  3. Set the value to 0x00000A00 to enable both TLS 1.1 and 1.2.

Enabling TLS 1.0 and 1.1 in EMS

EMS 6.0.1 provides an option in System Settings to enable support for TLS 1.0 and 1.1 for file downloads. The EMS administrator may use this option when deploying FortiClient upgrades to Windows 7 endpoints. Once deployment is complete, you can disable the option.