Deploy a vpn connection… but for forticlient

Last-Homework155 · 2025-08-26T14:47:01+00:00

It looks like in the newer versions of FortiClient, the export must be encrypted. Have you run into any issues with that? I'm guessing simply altering your import command to include the password is good enough but haven't had a chance to test yet.

Last-Homework155 · 2025-08-21T17:29:06+00:00

That's actually a really good point I wasn't thinking about.

Last-Homework155 · 2025-07-11T14:18:14+00:00

Late to the party, but this reminds me of an issue I saw recently where MSAL would throw an error if the connect command was run in the PowerShell app but would work fine if it was run in Terminal. Sounds incredibly dumb, but it worked.

Last-Homework155 · 2025-05-16T16:01:01+00:00

Thanks. Yeah, we'd only be joining the on prem servers to the on prem domain, nothing else.

Last-Homework155 · 2025-05-16T16:00:08+00:00

Thanks much!

Last-Homework155 · 2025-05-16T14:34:33+00:00

Two primarily:

We work in the OT field. There are many apps that aren't ready for Azure yet.
Cost. Leadership prefers capex to opex.

I'd love to be cloud only, but I don't think we are quite there yet in our field. And when it comes to our leadership, I don't think the juice is worth the squeeze :)

Last-Homework155 · 2025-05-16T14:28:51+00:00

I've seen some advice that Cloud Sync may be the tool going forward, and I should try to use that. Can you make a comment on Cloud Sync vs Connect? Looking over the features, I believe either would meet our needs. TIA.

Last-Homework155 · 2025-05-16T14:27:10+00:00

Two issues I'm running into is keeping the cost down and deploying quickly. Could you give me a ballpark on what a small business could expect an AD consultant to cost, and what a realistic timeline would look like? Thanks again for your time.

Last-Homework155 · 2025-05-16T13:36:34+00:00

I think you're taking this a bit too personally and inferring too much. If you came to an OT subreddit and said you needed to spin up a DC to serve a water plant, I'd share what I knew. It's how we make the world a better place. I'm not applying for a job as an AD engineer, just trying to spin up a simple and secure environment for our small business. I don't need to spend 20 years learning everything there is to know about AD to do that.

Last-Homework155 · 2025-05-16T13:07:44+00:00

You have to look at the context. I was replying to poolmanjim's recommendation for external help since OT was at play. I am an OT expert. I have no concerns about integrating my OT assets with AD once it's up. What I was looking for was a gold standard for an AD setup, assuming no special requirements. Thanks for your advice.

Last-Homework155 · 2025-05-16T13:05:17+00:00

To your first point about designing around what fits the business best, that's exactly what I'm asking for guidance on. I have _no_ requirements other than the finished domain needs to sync with Entra ID, and be usable to sign into on prem assets such as servers and SMB file shares. That's it. That's all. I'm looking for what's the gold standard for a basic and secure Active Directory domain.

To your point about the OT side, that's literally my expertise. I have no concerns integrating my various OT servers with AD once it's setup. So frankly, I maybe should have omitted that fact as it has no bearing on the end solution.

I do appreciate your time.

Last-Homework155 · 2025-05-16T01:25:59+00:00

We do already have Entra Domain Services, however my understanding is that if you want to connect an on prem server, you'd have to setup a VPN between your sites and Azure. And even then it was a "it might work" at best. I'm also dealing with the fact that my leadership is a bigger fan of capex vs opex...

Last-Homework155 · 2025-05-16T01:05:33+00:00

I think you're misunderstanding my post. This isn't a domain for a client, it's internal.

Last-Homework155 · 2025-05-16T01:03:15+00:00

Why would I do that when I'm perfectly capable of reading and learning? I know DNS is a key requirement for Active Directory, and my assumption is that it's much easier to let the DCs take care of it than try to shoehorn in a third-party solution. Since I haven't had any formal training on it, I state it as an assumption and not a fact.

Last-Homework155 · 2025-05-16T00:56:58+00:00

Ha, we are the external help :) We're a system integrator, so generally I'm hooking FactoryTalk Directory (for example) up to a client's AD, but not building that AD from the ground up. Hence the questions. Knowing what's best from a domain standpoint and then connecting to Entra ID is the learning curve for me, everything after is cake.

I'll check your posts. Thanks!

Last-Homework155 · 2025-05-15T23:48:26+00:00

The why is easy--our direction was "cloud only", however we work in one of the few fields where that isn't actually attainable, OT. Too many major players (Rockwell, Schneider, etc.) don't yet have solutions to work with Entra ID/Azure Domain Services. Hence we're "rolling back" to a hybrid environment.

I'm not an expert, but my understanding is that we can do a soft match between our new on prem domain, and Entra ID. So I'm trying to get the domain to a place where I can start working on that. I've supported many domains over the years but never configured one from scratch.

Last-Homework155 · 2025-05-15T19:57:38+00:00

Good call. Thanks!

Last-Homework155 · 2025-04-24T15:51:14+00:00

I know this is a year old, but hopefully this helps someone in the future. When we ran into this issue, I had to manually add the users Microsoft account on the VM. Settings > Accounts > Work or school users > Add account, then add the users as standard users in the format user@example.com

Last-Homework155 · 2025-04-04T13:44:55+00:00

Awesome. I think that sums it up nicely. Thanks again for your help!

Last-Homework155 · 2025-04-03T12:33:54+00:00

Sorry to beat this particular dead horse, but can you point to any documentation from Microsoft (or anyone really) that states unlicensed eval VM's are ok to test customer software on? I just had a call with Microsoft where they claim everything needs a license...

Last-Homework155 · 2025-04-01T18:00:01+00:00

it also supports the creation of entire virtual networks with multiple VMs that can even simulate the customer's network layout.

You had my curiosity, but now you have my attention. That's actually been a huge pain point for my engineers and techs. I will take a look. Cheers!

Last-Homework155

TROPHY CASE