Administrative templates for GPO
Administrative templates are used to configure registry settings on Windows endpoints through Group policy objects. For the Persistent Agent and the Passive Agent, there are templates to configure the Server URL of the FortiNAC Application Server with which the agent will communicate. There are also per-computer and per-user templates to enable or disable the system tray icon or Balloon Notifications of status changes. The Balloon Notification template does not affect the Server IP and is not required.
FortiNAC does not support an Administrative Template for deploying configuration changes to macOS computers or users through GPO. You can investigate 3rd party applications, such as Likewise Enterprise that support macOS computers using Group Policy Object editor. The modifications shown in the tables below can be made in the Preferences file on macOS hosts, using the tool of your choice.
The Persistent Agent running on a macOS computer can determine the server to which it should connect via DNS server records it does not require changes to Preferences. |
If you are using the Persistent Agent, your Windows login credentials are automatically passed to FortiNAC. You can modify the Administrative Template to hide the Persistent Agent Login dialog and use the Windows login credentials sent by the Persistent Agent by modifying the settings in the Administrative Template. See Using Windows domain logon credentials.
Security is enabled by default. It is recommended that you update to the latest template files and configure the templates for the new security settings.
Requirements:
- Active Directory
- Group Policy Objects
- Template Files From Fortinet
Templates:
The templates listed below are provided by Fortinet. You must run the installation program for the templates on your Windows server . Be sure to select the appropriate MSI for your Windows server architecture.
- 32-bit (x86): Bradford Networks Administrative Templates.msi
- 64-bit (x86_64): Bradford Networks Administrative Templates-x64.msi
Install a GPO template
- In FortiNAC, select System > Settings > Updates > Agent Packages.
- At the top of the Agent Distribution window click either the 32-bit (x86) or the 64-bit (x86_64) link to download the appropriate template file.
- Copy the template file to the domain server.
- On the domain server, double-click the msi file to start the installation wizard.
- Click through the installation wizard. When installation has completed, the Microsoft Group Policy Management Console is required to complete the installation. Refer to the Windows Server documentation for details.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates, shows the current templates pop-up.
- Click Add and browse to
Program Files\Bradford Networks\Administrative Templates
.- To use the Persistent Agent, select
FortiNAC Persistent Agent.adm
and click Open. - To use the Passive Agent, select
FortiNAC Passive Agent.adm
and click Open.
- To use the Persistent Agent, select
- Click Close, and the Administrative Templates will be imported into the GPO.
Install an updated template with balloon notifications
If you already have a Fortinet Administrative Template installed for the Persistent Agent and the Balloon Notifications were ever set to anything other than Not Configured (e.g. enabled or disabled), you must unconfigure the Balloon Notifications and push the settings to your clients. When your clients have all been updated, then the new template can be installed. These templates affect the registry settings on the client host. In the case of the Balloon Notifications, removing the previous configuration before installing the new one ensures that the keys will be set correctly.
Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed.
- In FortiNAC, navigate to System > Settings > Persistent Agent.
- Select Properties and make sure that Display Notifications is disabled. When you have uploaded and configured the new template, come back to this view and restore the Display Notifications option to its original state.
- Log into your Windows server and open the Group Policy Management Tool.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Select Computer Configuration > Administrative Templates > Bradford Persistent Agent.
- In the pane on the right, right-click on the Balloon Notifications setting and select Properties.
- On the Setting tab in the Properties window, select Not Configured and click OK.
- When all of your clients have received the updated settings, the new template can be installed.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
- Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.
Install an updated template without balloon notifications
Before updating a template, be sure to record the current template settings. Existing template settings are lost when the new template is installed. |
- On your Windows server, open the Group Policy Management Tool.
- Navigate to the Group Policy Object you want to edit, right-click and select Edit to display the GPO Editor pane.
- Right-click Computer Configuration > Administrative Templates and select Add/ Remove Templates to show the current templates pop-up.
- Select the old template and click Remove. Follow the instructions in Install a GPO template to install the new template.
Modify template settings
See the table below for settings which can be configured using the Administrative Templates provided.
Settings
Option |
Definition |
---|---|
Persistent Agent template |
|
Balloon Notifications |
Enables or Disables Balloon Notifications on a per-host or per-user basis. This setting is not required for configuring Server IP information. Options include:
|
Login Dialog |
Enables or Disables the login dialog on a per-host or per-user basis. This setting is not required for configuring Server IP information. See Using Windows domain logon credentials for further instructions. Options include:
|
System Tray Icon |
Enables or Disables the system tray icon on a per-host or per-user basis. This setting is not required for configuring Server IP information. (Requires Persistent Agent 2.2.3 or higher). Options include:
|
Max Connection Interval |
The maximum number of seconds between attempts to connect to FortiNAC. |
Security settings |
|
Security Mode |
Indicates whether security is enabled or disabled. |
Home Server |
Server with which the agent always attempts to communicate first. Protocol configuration change requests are honored only when they are received from this server. If this servers is not set, it is automatically discovered using Server Discovery. On upgrade, this is populated by the contents of ServerIP. |
Limit Connections To Servers |
Enabled: Agent communicates only with its Home Server and servers listed under Allowed Servers list displayed. Disabled: Agent searches for additional servers when the home server is unavailable. Allowed Servers List: In large environments there may be more than one set of FortiNAC servers. If roaming between servers is limited, list the FQDNs of the FortiNAC Application Servers or FortiNAC Servers with which the agent can communicate. |
Passive Agent template |
|
Passive Agent |
Server URL List: Comma separated list of URLs (HTTP(s)://<server_name>/<context> formatted) for the FortiNAC servers that hosts running an agent should contact. Hosts must be able to reach all of the URLs in order to run properly. Example:http://qa228/registration The context portion of the Server URL is the area of the captive portal the agents should contact, such as registration, remediation, or authentication. |
Registry keys
The template setup shown in the table above modifies the Windows host's registry settings. The table below shows the modifications made to the host's registry keys by the Group Policy Object using the administrative template. If you use a tool other than GPO, you must make sure to set the appropriate keys on each host.
Upon installation of the Persistent Agent, the following key is created by default (and can be viewed using the Windows registry editor on the endstation):
HKLM\Software\Bradford Networks\Client Security Agent
When registry settings are pushed to a host via software, one or both of the following keys are created (depending upon the values pushed):
HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent
HKLM\Software\Policies\Bradford Networks\Persistent Agent
When the settings are pushed, the values for HKLM\Software\Bradford Networks\Client Security Agent will remain the same, but any settings altered via the software push will override those listed in the original key.
On 64-bit operating systems in RegEdit, these registry values will appear in the following key: HKLM\Software\wow6432node
.
Key |
Value |
Data |
---|---|---|
Persistent Agent |
||
HKLM\Software\Policies\Bradford Networks\Persistent Agent |
ServerIP |
The fully qualified hostname to which the agent should communicate. Data Type: String Default: Not Configured |
HKLM\Software\Policies\Bradford Networks\Persistent Agent |
ClientStateEnabled |
0: Do not show balloon notifications on status changes. 1: Show balloon notifications on status changes. Data Type: DWORD Default: Not Configured |
HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent |
ClientStateEnabled |
0: Do not show balloon notifications on status changes. 1: Show balloon notifications on status changes. Data Type: DWORD Default: Not Configured |
HKLM\Software\Policies\Bradford Networks\Persistent Agent |
LoginDialogDisabled |
0: Enable Login Dialog. 1: Disable Login Dialog. Data Type: DWORD Default: Not Configured (Login Dialog displayed) |
HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent |
LoginDialogDisabled |
0: Enable Login Dialog. 1: Disable Login Dialog. Data Type: DWORD Default: Not Configured (Login Dialog displayed) |
HKEY_USERS\ … \Software\Policies\Bradford Networks\Persistent Agent |
ShowIcon |
0: Do not show the tray icon. 1: Show the tray icon. Data Type: DWORD Default: Not Configured (Tray icon displayed) |
HKLM\Software\Policies\Bradford Networks\Persistent Agent |
ShowIcon |
0: Do not show the tray icon. 1: Show the tray icon. Data Type: DWORD Default: Not Configured (Tray icon displayed) |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ |
maxConnectInterval |
The maximum number of seconds between attempts to connect to FortiNAC. Data Type: Integer Default: 960 |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ |
securityEnabled |
0: Disable Agent Security. 1: Enable Agent Security Data Type: Integer Default: 1 |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ |
homeServer |
The fully qualified hostname of the default server with which the agent should communicate. Data Type: String Default: Empty |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ |
restrictRoaming |
0: Do not restrict roaming. Allow agent to communicate with any server. 1: Restrict roaming to the home server and the allowed servers list. Data Type: Integer Default: 0 |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ |
allowedServers |
Comma-separated list of fully qualified hostnames with which the agent can communicate. If restrict roaming is enabled, the agent is limited to this list. The home server does not need to be included in this list (for example, a.example.com, b.example.com, c.example.com). Data Type: String Default: Empty |
Passive Agent |
||
HKEY_USERS\{SID}\Software\ |
ServerURL |
Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact. Example:http://qa228/registration The context portion of the Server URL is the area of the captive portal the agents should contact, such as registration, remediation, or authentication. |
HKLM\Software\Policies\Bradford Networks\PASSIVE |
ServerURL |
Server URL List: Comma separated list of URLs for the FortiNAC servers that an agent should contact. Example:http://qa228/registration The context portion of the Server URL is the area of the captive portal the agents should contact, such as registration, remediation, or authentication. |
Deploy the Passive Agent
- On your Windows server open the Group Policy Management Tool.
- Navigate to the Group Policy Object you want to edit.
- Right-click the Group Policy Object and select Edit to display the GPO Editor pane.
- Click User Configuration > Policies > Windows > Settings Scripts (Logon/Logoff) to display the Logon and Logoff script configurations.
- Double click Logon for Logon Properties.
- Click Add and then browse to the location of
FortiNAC_Passive_Agent.exe
. - Select
to add it to the Script Name field.FortiNAC_Passive_Agent.exe
- Enter
-logon
in the Script Parameters field. - Click OK.
To ensure the user is logged off the host upon logging out, do the following:
- Follow steps 1-4, and then double-click Logoff.
- Add
FortiNAC_Passive_Agent.exe
to the Script Name field, and then enter-logoff
in the Script Parameter field. - Click OK.