We used to use the free FortiClient VPN on our computers but have since upgraded to the full EMS client. I just deployed the full client, and it removed the old FortiClient VPN just fine and everything works.
In the FortiClient VPN we had defined an IPsec VPN profile and that is still present in the full client, but as a Personal VPN profile. I would like to remove that, but I don’t see a way to do that. I tried to remove the profile in the registry on a test computer, but was unable to, so it seems like the key is locked in some way.
According to Fortinet support, then it’s not possible to remove a Personal VPN Profile.
Does anyone have a tip for how to do this silently on all computers?
Might need to install free version to remove the profile and then re push ems. My thought is this has to be a configuration file somewhere, but if u can’t figure that out reverting to the old system, cleaning it up and then upgrading to ems is the way to go
You can do it via regedit. Just remove the reg key entry for that ssl vpn. I think it’s hkeylocal machine/ software/ fortinet/ssl . I don’t have a computer in front of me, but I think that will get you close.
Are you using EMS to deploy and config the FortiClient? Are you OK with individuals not having the ability to create a personal VPNs at all?
Assuming yes to both, within the FC EMS config, you can disable “Allow Personal VPN” for the clients. This will cause any legacy Personal VPNs to be hidden in the client…
Alternatively… Forticlient monitors its reg keys to prevent other processes from modifying them. You need to Shutdown Forticlient. (Even more tricky if registered to a Fortigate.) Then stop the FortiClient Scheduler service… Then you can delete the reg keys as others have noted in other replies.
That’s the first thing I tried, but I was blocked from doing it. Access is denied. When I check permissions, then local administrators only have read permissions and I can’t change them as admin. The key is on HKLM though.
Maybe I need to be system to change that, or is it possible for an application to block access completely?
Yes we’re using EMS to configure the clients, but we’re pushing the installation with another tool, as quite a few of our computers are roaming.
We do have a few users that should be able to add their own VPN configurations, but I did also consider the option you suggest.
I would have to script your solution, which is a great explanation btw, as it involves around 100 computers that are spread on multiple locations and people are roaming. I think it would a bit risky, but maybe doable. I think I will end up telling the users how to remove the old VPN profile if it bothers them and if it doesn’t then they can just leave it there. I will just remove the configuration on the firewall.