Hey all,
I have inherited a site that has a Watchguard. After updating the firmware the client VPNs now ask for updates.The users don’t have admin and I don’t use SCCM. I am thinking s powershell script to look at a network folder after killing the service. How do you go about doing this? I would like it automated as much as possible.
From this source - I’ve never tried this, but I should. We don’t have that many users using VPN any longer so it’s a low-level issue for us.
~SOURCE~
~QUESTION~
When I install the Mobile VPN with SSL client on user computers, can I prevent users from seeing message boxes or prompts during the installation?
~ANSWER~
You can perform a silent installation of the Mobile VPN with SSL client software on a Windows computer. When you install the Mobile VPN with SSL client on a computer, the network adapter (TAP driver) requires administrator privileges on the local system to install correctly. To perform a silent installation, run a script on the computer as administrator. Use these command-line options to hide any message boxes or prompts from the user: [executable filename] /silent /verysilent
If you need to use a specific install location for the application, you can use this option as well: /dir=“c:\directory\path” If you are prompted to allow the installation of the TAP driver during installation, see Pop-up warning about Windows TAP driver in Mobile VPN with SSL.
The users should be able to cancel the update without asking again and the VPN will still work
That being said, earlier versions of wg’s VPN used an old version of the tap driver which can cause DNS issues with windows 10 and later, so I’ll still recommend you to think about updating it, but don’t limit your thinking to VPN, think about a solution for all your client software updates.
taskkill /im wgsslvpnc.exe /f /t
Certutil -addstore -f “TrustedPublisher” OpenVPN.cer
start /w “” “%~dp0WG-MVPN-SSL_12_10.exe” /silent /verysilent /Components=main,tapdriver /tasks=desktopicon
I use that with a bat file which works via Action1 (I manage small businesses so we’re under 100 endpoints, therefore it’s free).
Stick the bat file, the OpenVPN.cer and the exe in the same directory.
The VPN will continue to work without the update being completed.
Every time the end client connects it checks to see if there is a new version of the SSLVPN client (rarely updated, but is updated none the less). The new firmware versions are typically backwards compatible with old SSLVPN client software.
If a user is prompted to update but doesn’t have access to update, I recommend following the automated answer by SIR-STANKS-A-LOT. When you run the installer via GPO, it’s run on a privileged admin account called “system”, which will update automatically, if you use the correct flags.
The script will need to be a computer start-up script so the users will be forced to be connected to the domain to pull the latest GPO (assuming you use group policy). This can be accomplished by running “gpupdate /sync” from a command prompt while on the VPN. If that access is locked from the user, you can run that script as well, though realistically, you can run “GPUPDATE && GPUPDATE && GPUPDATE” as a standard user and it pulls the new GPO’s down. I run in 3 times because MS is notorious for not working the first time.
So TLDR: The user should be able to click CANCEL on the Update Message and still connect. Automate the update as listed above. GLHF