Hot!Set DHCP Option 119 (domain search list) on Fortigate

Author
Georges Orwell
Bronze Member
  • Total Posts : 32
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/09/12 01:53:00
  • Status: offline
2015/03/30 14:06:28 (permalink)
0

Set DHCP Option 119 (domain search list) on Fortigate

Dear all,
 
I'm trying to set list of domain search on our Fortigate 200D (fortiOS 5.2) to push it on user's workstation when these users connecting on SSL VPN and/or WIFI SSID.
 
When users on Windows and Linux Workstation work's on LAN the workstation get lease with this kind of DNS configuration from Dhcpd (Linux) and Windows DHCP:
 
------ begin resolv.conf -----
search  proddomain.lan devdomain.lan print.lan
10.20.20.1
10.20.20.2
10.20.20.3
----- end resolv.conf ------- 
 
I want repeat this.
 
Can you help me?
#1

4 Replies Related Threads

    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    Re: Set DHCP Option 119 (domain search list) on Fortigate 2015/03/31 05:19:53 (permalink)
    0
    Unfortunately, you're limited to specifying two DNS servers and one suffix on the FortiGate.
     
    However, if you use FortiClient to initiate tunnel-mode connections, you can run a script upon logon that could update the relevant host files to inject the same DNS servers and multiple suffixes.

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #2
    Georges Orwell
    Bronze Member
    • Total Posts : 32
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/09/12 01:53:00
    • Status: offline
    Re: Set DHCP Option 119 (domain search list) on Fortigate 2015/03/31 06:02:34 (permalink)
    0
    Dear Chris,
    Can you help to find this option on forticilient?
    Is it possible to push prediffined scripts (For Unix) from the fortigate?
    #3
    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    Re: Set DHCP Option 119 (domain search list) on Fortigate 2015/03/31 06:14:22 (permalink)
    0
    It's one of the fields in the XML configuration available on the FortiClient (standalone) or to be pushed from the FortiGate.
     
    On our Docs site, the reference guide is available at: http://docs.fortinet.com/uploaded/files/2076/forticlient-xml-52.pdf
     
    VPN settings begin on page 26, and SSL VPN specifically on page 29. What you're looking for are the tags <script> nested within <on_connect>. Here's the whole string:
    <forticlient_configuration>
    <vpn>
    <sslvpn>
    <options>
    <enabled>1</enabled>
    <dnscache_service_control>0</dnscache_service_control>
    <!-- 0=disable dnscache, 1=do not tounch dnscache service,
    2=restart dnscache service, 3=sc control dnscache
    paramchange -->
    <keep_connection_alive>1</keep_connection_alive>
    </options>
    <connections>
    <connection>
    <name>SSLVPN_Name</name>
    <description>Optional_Description</description>
    <server>ssldemo.fortinet.com:10443</server>
    <username>Encrypted/NonEncrypted_UsernameString</username>
    <single_user_mode>0</single_user_mode>
    <ui>
    <show_remember_password>1</show_remember_password>
    <show_alwaysup>1</show_alwaysup>
    <show_autoconnect>1</show_autoconnect>
    </ui>
    <password>Encrypted/NonEncrypted_PasswordString</password>
    <certificate />
    <warn_invalid_server_certificate>1</warn_invalid_server_ce
    rtificate>
    <prompt_certificate>0</prompt_certificate>
    <prompt_username>0</prompt_username>
    <on_connect>
    <script>
    <os>windows</os>
    <script>
    <script>
    <![CDATA[
    net use x: \\server1\share /user:#username#
    #password#
    net use y: \\server2\share /user:#username#
    #password#
    net use z: \\server3\share /user:#username#
    #password#
    copy %temp%\*.logs z:\share\logs\
    copy z:\files\*.* c:\files\
    ]]>
    </script>
    </script>
    </script>
    </on_connect>
    <on_disconnect>
    <script>
    <os>windows</os>
    <script>
    <script>
    <![CDATA[
    net use x: /DELETE
    net use y: /DELETE
    net use z: /DELETE
    ]]>
    </script>
    </script>
    </script>
    </on_disconnect>
    </connection>
    </connections>
    </sslvpn>
    </vpn>
    </forticlient_configuration>
     
     
    The above is just an example, but it shows how you can mount network shares upon connecting and unmount them when disconnecting. You could use the 'net' command to apply other parameters. You'd need to craft the script locally on a machine first to test that it works, but you could then insert it within XML tags for client connections.
     
    The two options for applying it would be: (a) restoring a config containing the script as a backup on each client manually; or (b) deploying the script using an Endpoint Control profile. FortiGates allow 10 free EC connections before you'd need a separate FortiClient license, but even beyond 10 clients you'd still have the manual option at your disposal.
     
    To enable the push of custom XML configurations, modify the existing profile:
    config endpoint-control profile
    edit default
    config forticlient-winmac-settings
    set forticlient-advanced-cfg enable
    end
    end
     
    Then, from the GUI, you can paste in the XML configuration as a block of text.

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #4
    rveader
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/03 09:31:38
    • Status: offline
    Re: Set DHCP Option 119 (domain search list) on Fortigate 2019/07/03 09:41:30 (permalink)
    0
    In case anyone is looking to actually use DHCP 119 with multiple search domains on their Fortigate, I will recount how I figured out a working config in 2019-07-03
     

    How to make a fortigate DHCP option 119 hex string for multiple related domains

    For example
     
    example.com
    mary.example.com
    bob.example.com

    Break domains into non-'.' separated chunks
     
    example
    com
    mary
    bob

    Get hex for each chunk from a hex converter (e.g. http://string-functions.com/string-hex.aspx)

    example 6578616d706c65
    com 636f6d
    mary 6d617279
    bob 626f62

    Note the length of each string and prefix the string with the exact hex number in 2 digit format

    7example 076578616d706c65
    3com 03636f6d
    4mary 046d617279
    3bob 03626f62

    Assemble your first domain and terminate it with a double digit hex zero character
     
     7 e x a m p l e 3 c o m00
    076578616d706c6503636f6d00

    Assemble your next domain but eliminate and domain suffix that already exists in your search string! You will replace the suffix with a reference to a domain (ending in 00) that matches that value. The reference will consist of the 'c0' character and then the index, starting with 0 from the beginning of the string you are assembling.
      
     7 e x a m p l e 3 c o m00 4 m a r yC000
    076578616d706c6503636f6d00046d617279c000

    In this case the index was 0, the beginning of the string.
    We'll do this again for the 'bob.example.com'


     7 e x a m p l e 3 c o m00 4 m a r yC000 3 b o bC000
    076578616d706c6503636f6d00046d617279c00003626f62c000


     
    As long as that resultant string is no longer than 255 characters, it should work as the hex payload in a FortiGate DHCP custom hexadecimal DHCP option 119. I successfully tested this with a 
    200D running v5.6.9 build1673 with a MacOS 10.14.5 client picking up the change successfully via a Wireless LAN after switching wifi networks and switching back. 
     
     
    Bonus: An alternate example with a non-zero index:
     

     3 b o b 7 e x a m p l e 3 c o m00 4 m a r yC004
    03626f62076578616d706c6503636f6d00046d617279c004
    0 1 2 3 4

     
    I hope this helps the next netadmin on down the line!

    Regards,

    Rick
     
    References:
    http://string-functions.com/string-hex.aspx
    https://tools.ietf.org/html/rfc3397#section-2
    https://blogs.blackmarble.co.uk/rhepworth/2012/06/18/adding-dhcp-option-119-domain-search-list-to-windows-server-2008-r2/
    https://www.normanbauer.com/2018/04/18/configuring-dhcp-option-119-domain-search-list-on-a-windows-dhcp-server/
     
    post edited by rveader - 2019/07/03 09:46:03
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5