How to perform custom Install for Device Guard or Modern Connect Tunnel Client
Description
How to perform Custom Install using Modern Connect Tunnel Client? .
Resolution
Pre-configuration of Connect Tunnel (for Device Guard)
Connect Tunnel setup executable accepts few command line parameters to initialize the default connection profile during setup.
- Name
- Name of the VPN profile
- VpnServer
- Hostname or IP address of the appliance
- Realm
- Realm name
Example:
MCTSetup.exe Name=vpn.example.com Realm=”Split Tunnel”
The setup accepts additional parameters for either silent or non-interactive installation.
- /s
- Silent installation without any UI display
- /passive
- Non-interactive installation with minimal UI display
Example:
MCTSetup.exe /passive Name=ConnectionName VpnServer=vpn.example.com Realm=”Split Tunnel”
Note:
- The setup does’t accept any INI file for configuration other than the parameters mentioned above.
- All profiles created using above command would create profiles.xml once the connection being launched.
Configuration of connection profiles:
The connection profiles are stored in XML file at %localappdata%\SonicWall\SnwlConnect\Documents\profiles.xml. If client was already installed and if admin likes to override the connection profiles, they can push the profiles.xml using SCCM.
Note: If you are planning to push DGCT installer and profiles.xml you need to manually create SnwlConnect and Documents as profiles.xml needs to be placed in this location.
The elements of each profile as mentioned below:
| Profile elements | Value |
| ID | Unique number starting from 0 |
| AppType | Firmware type [Unknown = -1, SMA 1000 = 0] |
| ConfigType | Whether profile is created by user or admin [Internal = -1, User = 0, Admin =1] |
| Name | Profile name |
| HostAddress | Hostname or IP address |
| LoginGroup | Realm name |
| Username | Username of primary auth |
| Domain | Domain of primary auth |
| Username2 | Username of secondary auth |
| Domain2 | Domain of secondary auth |
| AutoCredType | Credential caching [Never = 0, Always = 1, Optional = 2, Biometric = 4] |
Note:
- To let users create connection profiles, the first profile is an internally managed profile with an ID = 0, AppType = -1 and ConfigType = -1.
- Each profile contains additional elements like LastIpType, LastIp, Guid and Amid which are internally managed by client itself.
Example:
| <?xml version="1.0" standalone="yes"?> <DataSet xmlns="http://tempuri.org/DataSet1.xsd"> <VpnProfile> <ID>0</ID> <AppType>-1</AppType> <ConfigType>-1</ConfigType> <Name>Add configuration</Name> <HostAddress /> <AutoCredType>0</AutoCredType> </VpnProfile> <VpnProfile> <ID>1</ID> <AppType>0</AppType> <ConfigType>0</ConfigType> <Name>app180</Name> <HostAddress>user1.ctrx.ntlmv1.local</HostAddress> <LoginGroup>TRANS</LoginGroup> <Username>user1</Username> <LastIpType>0</LastIpType> <LastIp>172.27.1.15</LastIp> <Guid>Hy/o5Dfl+06U7KWhdraK3w==</Guid> <Amid>F1BPT0w9QVYxNTY2ODkzMjMyODk3QUVOAA==</Amid> <AutoCredType>1</AutoCredType> </VpnProfile> <VpnProfile> <ID>2</ID> <AppType>0</AppType> <ConfigType>0</ConfigType> <Name>vpn</Name> <HostAddress>vpn.example.com</HostAddress> <LoginGroup>Split Tunnel</LoginGroup> <Username>user1</Username> <LastIpType>0</LastIpType> <LastIp>r.s.t.u</LastIp> <Guid>Qhpd877wUEObpmAy0K3Qcg==</Guid> <Amid>F1BPT0w9QVYxMzYxMjMxODE4MDU2QURJAA==</Amid> <AutoCredType>3</AutoCredType> </VpnProfile> </DataSet> |
However, you can push the default profile as all the profiles are saved in a file named profiles.xml under %localappdata%\SonicWall\SnwlConnect\Documents. You can use SCCM to push the profiles.xml which pre-configures your CTDG. (For installation logs, you can pass “-l installerlog” to the MCTSetup.exe.)
To Bypass Edge WebView when you install CT via command line options
Skip Edge WebView2 installation
The setup accepts additional parameter to skip installation of Edge WebView2.
- WebView2
- Pass a value of 0 to skip installation.
Example:
MCTSetup.exe /passive Name=BLRVPN VpnServer=abcd.sonicwall.com Realm=”Split Tunnel” WebView2=0
Note: WebView2 is needed for SAML authentication. The above steps can be used if you would like to install CT faster via command line with excluding Edge WebView2