Re: Fortigate and Bitlocker Network Unlock
As you can see the original poster never wrote back how they were successful--I did test a multicast broadcast policy as they suggest but it had no effect (yes the packet landed in the right network but it was unusable by the server hosting WDS without being fixed up with a relay-agent-IP by a helper). After testing that, I abandoned multicast forwarding, and here's what I can tell you in general:
After doing a number of packet captures and then debugging the dhcp relay daemon, I finally opened a support case with FortiNET support.
Basically after a week and multiple interactions, they said that the DHCP relay daemon will NOT fix-and-forward BOOTP type packets (which is the nature of the BitLocker packet), here is the excerpt from the support ticket--
"I have found this is a known issue for the DHCP relay. We currently have no workaround. There is a submitted request to support it in the DHCP relay. There is no ETA at this time. We only have support for the BOOTP protocol in DHCP server configuration at the moment. The related NFR request number is 0537876, should you want to follow up on progress."
In other words, the DHCP relay daemon sees the packet, and doesn't 'do' anything to it (i.e. doesn't fix-and-forward). It's troubling because numerous other platforms (Cisco and Juniper I confirmed) *do* handle BOOTP as fix-and-forward via helpers, just not FortiGate...so unless you are willing to setup WDS on the network local to your clients, or setup a local 3rd part DHCP relay daemon on that network and not use the FortiGate DHCP Relay Daemon, it appears we are SoL. I had to abandon this effort; waste of at least 15 hours of setup and testing. Hope this saves you some of that pain.
Overall it appears that Microsoft is not pushing BitLocker Network Unlock anymore...the Microsoft setup document is piss-poor and was obviously written by marketing people as it's scant on actual detail for setting up the WDS server other than just some very basic steps. From what I've read, folks are using the powershell script to reboot machines without requiring the bitlocker PIN when required for maintenance...unfortunately that kind of sucks for WSUS/Microsoft Updates without a lot of extra work.