Description
To enable DNS registration option for SSLVPN clients when the FortiClient participates in FSSO, special steps must be followed.
Specifically, there is an additional registry value which needs to be changed.
Complete the Following Steps:
1) Enable DNS registration under Network properties:
2a) If FortiClient version is 5.2.1 or earlier or if FortiClient is unmanageable.
note: All steps have to be applied under workstation administrator account
2a.1) shutdown Forticlient.
2a.2) net stop fortishield.
2a.3) Start CMD with administrator privileges and add following registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FortiClient\Sslvpn]
"WinDnsCacheService"=dword:00000003
2a.4) net start fortishield.
2a.5) start Forticlient.
2b) Alternatively, if the FortiClient is manageable by FGT and the FC version is 5.2.2 and above, all steps from 2a could be automated by adding the following XML into the FC's configuration XML script.
<dnscache_service_control>3</dnscache_service_control>
For example:
<?xml version="1.0" encoding="UTF-8" ?>
<forticlient_configuration>
<partial_configuration>1</partial_configuration>
<os_version>windows</os_version>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>3</dnscache_service_control>
<!--0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange-->
</options>
</sslvpn>
</vpn>
</forticlient_configuration>
