Parameters and properties of the MSI installer

Introduction

The installer of the SN VPN Client Exclusive is in Microsoft Installer (MSI) format. It can be configured using command-line parameters and so-called properties.

To install the SN VPN Client Exclusive, we recommend starting the MSIEXEC command line from an admin shell with the /i option, /q or /quiet option as well as any other suitable properties for your deployment.

EXAMPLE
msiexec /i [path_to_installer] /q

Syntax rules: Options that call for a specific value must be entered without any blank spaces between the option and the value assigned to it. Values that contain blank spaces, such as directory names, must be placed between quotation marks.

For further details on how msiexec works and available installation options, refer to the Microsoft documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec.

Passing command-line parameters to MSI

/i

Syntax:	msiexec /i [path_to_installer]
Usage:	Installs or updates the SN VPN Client Exclusive software
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi"

/x

Syntax:	msiexec /x [path_to_installer]
Usage:	Uninstalls the SN VPN Client Exclusive software
Example:	msiexec /x "[download_directory]\NetworkVpnClientExclusive_Setup.msi"

/q

Syntax:	msiexec /q or /quiet
Usage:	Configures the installation or uninstallation in silent mode (no messages or warnings to the user)
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" /q

/L*V!

Syntax:	msiexec /L*V! <path_to_log_file>
Usage:	Enables logging and includes a detailed output in the output log file by specifying the location and name of the output log file.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi " /L*V! "C:\install.log"

Installing the software

NOTE
"C:\Program Files\Stormshield\Network VPN Client Exclusive\" is the default installation directory.

APPLICATIONROOTDIRECTORY

Syntax:

APPLICATIONROOTDIRECTORY=[installation_directory]

Usage:

[installation_directory] is the directory where the VPN Client software is to be installed.

Quotation marks are required before and after [installation_directory], if the directory name contains blank spaces.

Example:

msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi " APPLICATIONROOTDIRECTORY="C:\my directory\vpn"

TGBCONF_ADMINPASSWORD

Syntax:	TGBCONF_ADMINPASSWORD=[password]
Usage:	Administrator password used to protect access to the Configuration Panel in version 6.8 and earlier, where appropriate. Used to update an earlier version in which the Configuration Panel was password protected.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" TGBCONF_ADMINPASSWORD=Tgb@dM1Npwd!

NOAUTORUN

Syntax:	NOAUTORUN=1
Usage:	This property is used to not start the SN VPN Client Exclusive (regardless of the mode: Connection Panel, TrustedConnect) when Windows is started. Default value 0 (automatic startup).

VPN Configuration

TGBCONF_PATH

Syntax:	TGBCONF_PATH=[path_to_conf_file]
Usage:	Full path to the VPN configuration file to be used for this installation.

TGBCONF_PASSWORD

Syntax:	TGBCONF_PASSWORD=[password]
Usage:	Password used to protect the VPN configuration entered as a parameter using the TGBCONF_PATH property.

TheGreenBow Activation Server

Properties determine the characteristics of TheGreenBow Activation Server (TAS, an activation server optionally installed on the user’s infrastructure).

These properties include the following: server address, access port, and activation authentication certificate.

Since the values of these properties are required for specific configurations, they are generally provided by TheGreenBow.

OSAURL

Syntax:	OSAURL=[TAS_URL]
Usage:	This property is used to define the URL for TAS. It must be defined together with the OSAPORT property and, where appropriate, with the OSACERT property.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" OSAUrl=192.168.217.102/osace_activation.php

OSAPORT

Syntax:	OSAPORT=[TAS_port]
Usage:	This property is used to define the port for TAS and must be combined with the OSAURL property.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" OSAPort=80

OSACERT

Syntax:	OSACERT=[certificate_contents]
Usage:	This property is required when the TAS activation server is used. It is used to decrypt the activation key received from the TAS server. Its content is available on TheGreenBow’s website in the Private partner area under the heading Public key (certificate).
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" OSACert="MIICGjCCAYOgAwIBAgIBADANBg [........] muHf58kMO0jvhkyq24GryqptSaSJqVIA="

Activating the license

ACTIVMAIL

Syntax:	ACTIVMAIL=[activation_email]
Usage:	This property is used to configure the e-mail address used to activate the software.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi” ACTIVMAIL=salesgroup@company.com

AUTOACTIV

Syntax:

AUTOACTIV=1

Usage:

This property is used to configure the software so that it is automatically activated. If the value is set to 1, the SN VPN Client Exclusive will attempt to activate automatically every time:

The VPN Client is started
A tunnel is opened

Example:

msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" AUTOACTIV=1

LICENSE

Syntax:	LICENSE=[license_number]
Usage:	This property is used to configure the license number used to activate the software.
Example:	msiexec /i "[download_directory]\NetworkVpnClientExclusive_Setup.msi" LICENSE=1234567890ABCDEF12345678

NOACTIVWIN

Syntax:

NOACTIVWIN=1

Usage:

This property is used to prevent the activation window from being displayed.

It can be combined with the AUTOACTIV=1 property to deploy a non-activated software on the target user workstations and to automate its activation in an entirely transparent manner for the users.

Please bear in mind that the activation window will ultimately be displayed to the user at the end of the trial period if no activation has been carried out by that date. However, in this case, users can still mount a tunnel in order to proceed with activation.

TrustedConnect Panel

Properties related to the TrustedConnect Panel are described below.

USEDIALERBYDEFAULT

Syntax:	USEDIALERBYDEFAULT=1
Usage:	The TrustedConnect Panel is used as user interface when this property is set to 1. The TrustedConnect Panel start automatically upon Windows logon, unless the NOAUTORUN property is set to 1.

DIALERMINIMIZE

Syntax:

DIALERMINIMIZE=5000

Usage:

This property is used to configure the time delay before the TrustedConnect Panel is minimized, when the workstation has been detected as being connected to the trusted network (either physically or through the VPN tunnel).

This time delay is configured in milliseconds.

If the value is set to 0, the feature is disabled: the TrustedConnect Panel is no longer automatically minimized.

If no time delay is configured, the default time delay is 2000 ms (2 seconds).

DIALERDEFS

Syntax:

DIALERDEFS=01000000

Usage:

This property is used to configure the type of minimization when the minimization time delay is configured: the TrustedConnect Panel can be minimized to the taskbar or to the notification area (systray or system tray).

To minimize the TrustedConnect Panel to the taskbar, enter the value 01000000.

If the property is not specified, the TrustedConnect Panel is minimized to the notification area (systray) by default.

Reminder: The time delay and minimization type only apply to automatic minimization of the TrustedConnect Panel when a connection to the trusted network is detected.

VPNLOGPURGE

Syntax:

VPNLOGPURGE=3

Usage:

This property is used to configure the number of days log files are kept.

The value is expressed in number of days.

The default value is 10 days.

If the value is set to 0, the purging of log files is disabled.

TOKENOUTHANDLE

Syntax:

TOKENOUTHANDLE=30

Usage:

This property is used to configure the behavior of the VPN Client when the token is removed or the smart card is removed from the reader while a VPN tunnel is open.

The following three modes are available for this event:

Mode A: The tunnel is closed immediately as soon as the token/smart card is removed (default behavior).
Mode B: The tunnel remains open for the configured time period (only available with the TrustedConnect Panel).
Mode C: The tunnel remains open indefinitely.

Note: In mode C, if the token or smart card is required to open the VPN tunnel, the next renegotiation will fail.

By default, if nothing has been configured, mode A is enabled.

TOKENOUTHANDLE=0: tunnel is not closed when the token/smart card is removed (mode C)
TOKENOUTHANDLE=N: with the TrustedConnect Panel, time in seconds before the tunnel is closed once the token/smart card is removed (mode B). With the Connection Panel, the tunnel remains open indefinitely (mode C).

BTNBEHAVIORTC

Syntax:

BTNBEHAVIORTC=1

Usage:

This property is used to disable the disconnect button when a connection is established (TND check, opening a tunnel, etc.) to prevent users from activating this button once the tunnel is mounted:

0 or undefined: The button can be activated even after the connection has been established.
1: The disconnect button is disabled and the tunnel cannot be closed as soon as it is being opened.

MENUITEMTC

Syntax:

MENUITEMTC=[0..3F]

Usage:

This property is used to determine which items appear in the taskbar menu.

The value assigned to the MENUITEMTC property is a bit field, in which every bit represents one item of the taskbar menu:

1 (1st bit): Quit
2 (2nd bit): Restart
4 (3rd bit): Logs
8 (4th bit): About
16 (5th bit): Language
32 (6th bit): Console

By default, all the menu items are displayed: value = 0 (0x3F hex).

EXAMPLE
MENUITEMTC=3
Will only display the Restart and Quit items.

0: The taskbar menu is not displayed
1: Displays Quit
2: Displays Restart
3: Displays Restart and Quit
4: Displays Logs
5: Displays Logs and Quit
6: Displays Restart and Logs
7: Displays Restart, Logs and Quit
Etc.

DIALERBEHAVIOR

Syntax:

DIALERBEHAVIOR=010000

Usage:

This property is used to add the following three options to the TrustedConnect Panel:

A button to disable trusted network detection (TND) so that users may open a tunnel even if a trusted network has been detected
Enable multiconnection mode so that users can choose the active connection by clicking the connection name in the TrustedConnect Panel’s title banner
Enable an on-the-fly compliance check to change the TrustedConnect Panel’s state according to the compliance level, without needing to stop or restart the tunnel

One, two, or all three options can be enabled at the same time.

000000 or undefined: None of the three options is enabled. No tunnel can be mounted when a trusted network has been detected and users cannot choose the connection by clicking in the title banner.
010000: The option used to disable the TND function is shown in the TrustedConnect Panel’s status bar. When the TND function is disabled, users can mount a tunnel even if the trusted network has been detected. When the TND function is enabled again, users can no longer mount a tunnel when the trusted network has been detected (default behavior).
000100: Enables multiconnection mode so that users can choose the active connection by clicking the connection name in the TrustedConnect Panel’s title banner after having closed any open tunnel. Users cannot change active connections while a connection is open or being initialized or closed.
000001: Enables the on-the-fly compliance check to automatically switch the TrustedConnect Panel to:
- An error state when the compliance level is no longer satisfactory
- The standard tunnel when the compliance level becomes satisfactory
- The remediation tunnel when the compliance level allows it
010100: Enables the first two options.
000101: Enables the last two options.
010001: Enables the first and the last option.
010101: Enables all three options.

RESTARTGUITC

Syntax:

RESTARTGUITC=1

Usage:

This property is used to automatically restart the TrustedConnect Panel when it is quit or if it has crashed:

0 or undefined: The TrustedConnect Panel is not restarted automatically after it has stopped (default behavior).
1: The TrustedConnect Panel is automatically restarted after it has stopped.

Tokens and smart cards

SMARTCARDROAMING

Syntax:

SMARTCARDROAMING=1

Usage:

This property specifies the smart card reader or token to be used:

Undefined: Smart card reader or token configured in the VPN configuration
The subject of the certificate is in the VPN configuration.
1: Smart card reader or token configured in the VPN configuration
The subject of the certificate in the VPN configuration is not taken into account.
2: Smart card reader or token configured in the vpnconf.ini file
The subject of the certificate is in the VPN configuration.
3: Smart card reader or token configured in the vpnconf.ini file
The subject of the certificate in the VPN configuration is not taken into account.
4: 1st token or smart card inserted
The subject of the certificate is in the VPN configuration.
5: 1st token or smart card inserted
The subject of the certificate in the VPN configuration is not taken into account.

PKCS11ONLY

Syntax:

PKCS11ONLY=1

Usage:

This property specifies the smart card or token access mode:

Undefined: The CNG mode (Cryptography API: Next Generation) is used (default value)
1: Forces use of PKCS#11 mode

KEYUSAGE

IMPORTANT
We recommended that you no longer use this MSI property and instead use the dynamic parameter user_cert_keyusage. Its function is identical to that of the MSI property, but it is more granular since it applies to a specific tunnel rather than to all tunnels. Refer to the SN VPN Client Exclusive “Administrator’s Guide” for further details.

Syntax:

KEYUSAGE=1

Usage:

This property is used to select a certificate based on its “key usage” field:

0 or undefined: Certificate is not selected based on “key usage” field.
1: Certificate is selected based on “key usage” field whose attribute digitalSignature=1.
2: Certificate is selected based on “key usage” field whose attribute digitalSignature=1 and keyEncipherment=1.

NOTE
When the value of the KEYUSAGE property is set to 2, the Only authentication certificate check box on the PKI Options tab is grayed out, refer to the SN VPN Client Exclusive “Administrator’s Guide”.

NOCACERTREQ

Syntax:	NOCACERTREQ=1
Usage:	This property configures the VPN Client to manage various client/gateway certification authorities (CAs). It must be specified if the client and gateway certificates come from different CAs (this can also be done using the software interface).

PKICHECK

Syntax:

PKICHECK=1

Usage:

This property is used to specify the way in which the VPN gateway certificate is checked:

0 or undefined: The VPN gateway certificate is not checked.
1: The following characteristics of the VPN gateway certificate are checked: validity date, certificate chain, signature, and CRL of each certificate in the certificate chain.
2: The following characteristics of the VPN gateway certificate are checked: validity date, certificate chain, signature of each certificate in the certificate chain (not the CRLs)—default value.
3: Same as 1.

X509DIRECTORYSTRING

Syntax:

X509DIRECTORYSTRING=14

Usage:

This property specifies the expected identifier for the Remote ID:

Undefined: Expected identifier type: teletexString
14: Expected identifier type: teletexString
13: Expected identifier type: printableString
1C: Expected identifier type: universalString
0C: Expected identifier type: utf8String
1E: Expected identifier type: bmpString

NOTE
As of version 6.8 of the software, it is no longer necessary to prefix the characters “0x” to the value of the X509DirectoryString property.

DNPATTERN

IMPORTANT
We recommended that you no longer use this MSI property and instead use the dynamic parameter user_cert_dnpattern. Its function is identical to that of the MSI property, but it is more granular since it applies to a specific tunnel rather than to all tunnels. Refer to the “Administrator’s Guide” for further details.

Syntax:

DNPATTERN=[text]

Usage:

This property is used to specify the certificate to be used: when specified, the SN VPN Client Exclusive searches for the certificate whose subject contains the [text] pattern on the token, smart card or in the Windows certificate store.

If this property is not specified, the VPN Client searches for the first certificate that meets the other characteristics configured.

NOPINCODE

Syntax:	NOPINCODE=1
Usage:	This property is used to prevent a PIN code from being requested for tokens that do not require it. For example, this is the case with Ercom's microSD.

General settings

MENUITEM

Syntax:

MENUITEM=[0..1F]

Usage:

This property is used to determine which items appear in the taskbar menu.

The value assigned to the MENUITEM property is a bit field, in which every bit represents one item of the taskbar menu:

1 (1st bit): Quit
2 (2nd bit): Connection Panel
4 (3rd bit): Console
16 (5th bit): Configuration Panel

By default, all the menu items are displayed: value = 31 (1F hex).

EXAMPLE
MENUITEM=3
Will only display the Connection Panel and Quit items.

0: The taskbar menu is not displayed
1: Displays Quit
2: Displays Connection Panel
3: Displays Connection Panel and Quit
4: Displays Console
5: Displays Console and Quit
6: Displays Connection Panel and Console
7: Displays Connection Panel, Console and Quit
Etc.

RESTRICTCONFADMIN

Syntax:	RESTRICTCONFADMIN=0
Usage:	This property is used to restrict access to the Configuration Panel to administrators only. By default, only administrators can access the Configuration Panel.

NOSPLITTUNNELING

Syntax:	NOSPLITTUNNELING=1
Usage:	This property disables the default route of the physical interface when the tunnel is established. Only applies to tunnels configured with “All traffic through the tunnel”.

NOSPLITDNS

Syntax:	NOSPLITDNS=1
Usage:	This property ensures that the DNSs of the virtual interface also apply to the physical interface when the tunnel is established. Only applies to tunnels configured with “All traffic through the tunnel”.

ROUTINGMODE

Syntax:	ROUTINGMODE=1
Usage:	This property is used to prevent local traffic coming from the physical interface from going through the tunnel. Only the traffic coming from the virtual interface will be allowed through.

FORCELOCALTRAFICTOTUNNEL

Syntax:

FORCELOCALTRAFICTOTUNNEL=1

Usage:

In “all through tunnel” mode, this property is used to route the local traffic coming from the physical interface through the tunnel. If this property is not included (default setting), the mode will not be enabled.

0 or undefined: Mode disabled
1: Mode enabled

IKESTART

Syntax:

IKESTART=1

Usage:

This property is used to start the IKE service independently of the software’s interface. If this property is not included (default setting), the mode will not be enabled.

Undefined: The mode is not enabled
1: The mode is enabled
Other value: The mode is not enabled

SIGNFILE

Syntax:

SIGNFILE=1

Usage:

This property is used to force the integrity hash check for the VPN configuration file.

The default value is 0 (i.e. disabled).

GINABEHAVES

Syntax:

GINABEHAVES=1

Usage:

In its default behavior, the GINA mode displays a panel on the Windows logon screen that allows you to open one or more tunnels before logging on to Windows. However, this panel will not be displayed on the lock screen when the user has locked the session.

This property is used to make the GINA mode panel visible on the lock screen.

The default value is 0.

NESTEDTUNNEL

Syntax:

NESTEDTUNNEL=1

Usage:

This property is used to nest two tunnels. To be used when you want a second tunnel to use the connection provided by a first tunnel. In this case, the gateway of the second tunnel will only be accessible on the remote network of the first tunnel.

The default value is 0 (i.e. disabled).

Logs

SYSTEMLOGOUTPUT

Syntax:

SYSTEMLOGOUTPUT=7

Usage:

This property is used to select the output of administrator logs. The outputs can be combined, e.g. use the value 7 to combine the 3 outputs.

0: No system logs
1: Log files
2: Syslog server
4: Windows event observer

SYSTEMLOGSYSLOGSERVER

Syntax:	SYSTEMLOSERVER=syslogserver.company.com
Usage:	This property is used to specify the machine’s IP address or name to syslog servers.

SYSTEMLOGSYSLOGPORT

Syntax:	SYSTEMLOGSYSLOGPORT=5514
Usage:	This property is used to specify the port of the machine for syslog servers. The default port is 514.