FortiClient EMS Connector
The FortiADC Security Fabric device can link to FortiClient Endpoint Management Server (EMS) for endpoint connectors. Up to three EMS servers can be added to the Security Fabric. EMS settings are synchronized between all Fabric members. Once the FortiADC is authorized as a Fabric device in FortiClient EMS, FortiClient EMS automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information to the FortiADC.
The FortiClient EMS connector is an integral part of the Zero Trust Network Access (ZTNA) functionality. For more information, see Zero Trust Network Access (ZTNA) and How device identity and trust context is established with FortiClient EMS.
FortiClient EMS running version 7.0.3 or later
FortiClient running 7.0.1 or later
FortiADC hardware, VM, or cloud platform that support FortiClient EMS.
FortiClient EMS is supported in most FortiADC platforms but not all of them. The following lists the hardware models, cloud platforms, and VM environments that support FortiClient EMS.
FAD-120F, FAD-220F, FAD-300F, FAD-400F, FAD-1200F, FAD-2200F, FAD-4200F, FAD-5000F
Cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):
AWS (Amazon Web Services), Microsoft Azure, GCP (Google Cloud Platform), OCI (Oracle Cloud Infrastructure), Alibaba Cloud
VMware, Microsoft Hyper-V, KVM, Citrix Xen, Xen Project Hypervisor
Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.
Read-Write access permission for FortiADC Systems settings
To create and configure a FortiClient EMS connector:
- Go to Security Fabric > Fabric Connectors.
- Click Create New.
- Under Core Network Security, click FortiClient EMS to display the configuration editor.
- Configure the following FortiClient EMS settings:
Name Specify the FortiClient Enterprise Management Server (EMS) name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. IP/Domain name Specify the server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1 HTTPS Port Specify the FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443
- Click Save.
The Verify EMS server certificate dialog displays the following message:
In order for the FortiClient EMS and FortiADC to communicate, the following certificate provided by the FortiClient EMS must be reviewed for correctness, and accepted if deemed valid.
Do you wish to Accept the certificate as detailed below?
- After you have verified the EMS server certificate information displayed, click OK to accept the EMS server certificate.
The Verify completed dialog displays the following message:
This FortiADC is not authorized on FortiClient EMS yet. Please let FortiClient EMS to authorize it.
Note: This message will only appear if the FortiADC device has not yet been authorized as a Fabric Device through FortiClient EMS.
- Click OK.
The newly created FortiClient EMS connector is added to the Security Fabric > Fabric Connectors page, under the Core Network Security section. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.
To authorize the FortiADC as a Fabric Device in FortiClient EMS:
- Login to FortiClient EMS.
- From the FortiClient EMS landing page, the Fabric Device Authorization Requests pop-up displays the Serial Number and IP information of the FortiADC device. Click Authorize.
- Alternatively, you can go to Administration > Fabric Devices and select the Fabric device you want to authorize.
To check and troubleshoot the FortiClient EMS connector connection:
- Go to Security Fabric > Fabric Connectors.
- Under the Core Network Security section, locate the FortiClient EMS connector configurations.
- The and icons indicate whether FortiClient EMS has successfully authorized the FortiADC Fabric Device for the corresponding FortiClient EMS connector. Hover over the FortiClient EMS connector to see the status details. The table below lists the possible connection statuses for the FortiClient EMS connector.
The FortiADC has been successfully authorized as a Fabric Device through FortiClient EMS.
FortiADC does not verify the EMS server's CA certificate. You can edit the FortiClient EMS connector configuration and restart the verification to accept the EMS CA certificate.
The EMS server does not authorize the FortiADC, indicating the request is either denied or pending authorization. If pending authorization, the status will change to Connected once authorization is successful on the EMS server.
The EMS server was not reachable. Ensure the EMS server IP and system router is properly configured.
EMS server connection failed
The EMS server connection failed with unknown issue. For example, an incorrect EMS server port may cause this issue.
The EMS server connection failed because the server is not compatible with FortiADC.
The EMS domain name cannot resolve. Ensure proper configuration for the DNS server setting, domain name, and system router.
If the status is not Connected, edit the FortiClient EMS connector accordingly to troubleshoot the connection issue.
- Locate the newly created FortiClient EMS connector, click the FortiClient EMS connector configuration then click Edit, or double click the configuration object to display the configuration editor.
- Edit the configuration to troubleshoot the connection issue then click Authorize to restart the verification to accept the EMS CA certificate.
A request is resent to the FortiClient EMS to authorize the FortiADC as a Fabric Device in FortiClient EMS. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.