Fortinet white logo
Fortinet white logo

Handbook

Configuring FortiClient EMS Connector for ZTNA

Configuring FortiClient EMS Connector for ZTNA

The FortiClient Endpoint Management Server (EMS) connector enables you to establish device identity through client certificates and device trust context between FortiClient, FortiClient EMS and the FortiADC as part of Zero Trust Network Access (ZTNA).

You can register your FortiADC device as a Fabric Device through the FortiClient EMS connector. When you create a FortiClient EMS connector, FortiADC sends a request to the FortiClient EMS server to obtain a EMS CA certificate to register your FortiADC device. From the FortiClient EMS, you can then authorize the FortiADC as a Fabric Device. Once authorized, the FortiClient EMS connector will display the status as Connected, indicating the device is registered. After the FortiADC connects to the FortiClient EMS, it automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information.

ZTNA tags are then generated from tagging rules configured on the FortiClient EMS. These tagging rules are based on various posture checks that can be applied on the endpoints.

In FortiClient EMS, do not use special characters such as ", ', and \ in the ZTNA tag name. ZTNA tags that contain these special characters in their name may trigger unexpected behavior when referenced in the ZTNA Profile or in the security logs.

You can create a maximum of three FortiClient EMS connectors.

Requirements:
  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    FortiClient EMS is supported in most FortiADC platforms but not all of them. The following lists the hardware models, cloud platforms, and VM environments that support FortiClient EMS.

    Hardware models:

    • FAD-120F, FAD-220F, FAD-300F, FAD-400F, FAD-1200F, FAD-2200F, FAD-4200F, FAD-5000F

    Cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services), Microsoft Azure, GCP (Google Cloud Platform), OCI (Oracle Cloud Infrastructure), Alibaba Cloud

    VM environments:

    • VMware, Microsoft Hyper-V, KVM, Citrix Xen, Xen Project Hypervisor
      Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

To create and configure a FortiClient EMS connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under Core Network Security, click FortiClient EMS to display the configuration editor.
  4. Configure the following FortiClient EMS Settings:

    Setting

    Description

    NameSpecify the FortiClient Enterprise Management Server (EMS) name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
    IP/Domain nameSpecify the server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1
    HTTPS PortSpecify the FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443
  5. Click Save.
    The Verify EMS server certificate dialog displays the following message:
    In order for the FortiClient EMS and FortiADC to communicate, the following certificate provided by the FortiClient EMS must be reviewed for correctness, and accepted if deemed valid.
    Do you wish to Accept the certificate as detailed below?
  6. After you have verified the EMS server certificate information displayed, click OK to accept the EMS server certificate.
    The Verify completed dialog displays the following message:
    This FortiADC is not authorized on FortiClient EMS yet. Please let FortiClient EMS to authorize it.
    Note: This message will only appear if the FortiADC device has not yet been authorized as a Fabric Device through FortiClient EMS.
  7. Click OK.

The newly created FortiClient EMS connector is added to the Security Fabric > Fabric Connectors page, under the Core Network Security section. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.

To authorize the FortiADC as a Fabric Device in FortiClient EMS:
  1. Login to FortiClient EMS.
  2. From the FortiClient EMS landing page, the Fabric Device Authorization Requests pop-up displays the Serial Number and IP information of the FortiADC device. Click Authorize.
  3. Alternatively, you can go to Administration > Fabric Devices and select the Fabric device you want to authorize.
To check and troubleshoot the FortiClient EMS connector connection:
  1. Go to Security Fabric > Fabric Connectors.
  2. Under the Core Network Security section, locate the FortiClient EMS connector configurations.
  3. The and icons indicate whether FortiClient EMS has successfully authorized the FortiADC Fabric Device for the corresponding FortiClient EMS connector. Hover over the FortiClient EMS connector to see the status details. The table below lists the possible connection statuses for the FortiClient EMS connector.

    Icon

    EMS Status

    Description

    Connected

    The FortiADC has been successfully authorized as a Fabric Device through FortiClient EMS.

    Cert unauthorized

    FortiADC does not verify the EMS server's CA certificate. You can edit the FortiClient EMS connector configuration and restart the verification to accept the EMS CA certificate.

    Auth failed

    The EMS server does not authorize the FortiADC, indicating the request is either denied or pending authorization. If pending authorization, the status will change to Connected once authorization is successful on the EMS server.

    Not reachable

    The EMS server was not reachable. Ensure the EMS server IP and system router is properly configured.

    EMS server connection failed

    The EMS server connection failed with unknown issue. For example, an incorrect EMS server port may cause this issue.

    No compatible

    The EMS server connection failed because the server is not compatible with FortiADC.

    Not sent

    The EMS domain name cannot resolve. Ensure proper configuration for the DNS server setting, domain name, and system router.

    If the status is not Connected, edit the FortiClient EMS connector accordingly to troubleshoot the connection issue.

  4. Locate the newly created FortiClient EMS connector, click the FortiClient EMS connector configuration then click Edit, or double click the configuration object to display the configuration editor.
  5. Edit the configuration to troubleshoot the connection issue then click Authorize to restart the verification to accept the EMS CA certificate.
    A request is resent to the FortiClient EMS to authorize the FortiADC as a Fabric Device in FortiClient EMS. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.

FortiClient EMS in virtual domain configurations

Virtual domains (VDOMs) are full FortiADC instances configured within a FortiADC device. Once the FortiADC device is registered to the FortiClient EMS, the configuration settings are applied globally. Using the same ZTNA tag, each VDOM can then configure ZTNA security rules that apply individually at the VDOM level.

FortiClient EMS for High Availability configurations

In a High Availability group, both the FortiADC units must be registered to the FortiClient EMS as individual Fabric devices. However, you only need to configure the FortiClient EMS connector on one of the FortiADC units. Once the FortiClient EMS connector configuration has been completed in one of the FortiADC units in the HA group, the configuration will be synchronized to the second FortiADC unit. The Fabric Device authorization request for both FortiADC units are sent to FortiClient EMS to complete the device registration.

Configuring FortiClient EMS Connector for ZTNA

Configuring FortiClient EMS Connector for ZTNA

The FortiClient Endpoint Management Server (EMS) connector enables you to establish device identity through client certificates and device trust context between FortiClient, FortiClient EMS and the FortiADC as part of Zero Trust Network Access (ZTNA).

You can register your FortiADC device as a Fabric Device through the FortiClient EMS connector. When you create a FortiClient EMS connector, FortiADC sends a request to the FortiClient EMS server to obtain a EMS CA certificate to register your FortiADC device. From the FortiClient EMS, you can then authorize the FortiADC as a Fabric Device. Once authorized, the FortiClient EMS connector will display the status as Connected, indicating the device is registered. After the FortiADC connects to the FortiClient EMS, it automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information.

ZTNA tags are then generated from tagging rules configured on the FortiClient EMS. These tagging rules are based on various posture checks that can be applied on the endpoints.

In FortiClient EMS, do not use special characters such as ", ', and \ in the ZTNA tag name. ZTNA tags that contain these special characters in their name may trigger unexpected behavior when referenced in the ZTNA Profile or in the security logs.

You can create a maximum of three FortiClient EMS connectors.

Requirements:
  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    FortiClient EMS is supported in most FortiADC platforms but not all of them. The following lists the hardware models, cloud platforms, and VM environments that support FortiClient EMS.

    Hardware models:

    • FAD-120F, FAD-220F, FAD-300F, FAD-400F, FAD-1200F, FAD-2200F, FAD-4200F, FAD-5000F

    Cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services), Microsoft Azure, GCP (Google Cloud Platform), OCI (Oracle Cloud Infrastructure), Alibaba Cloud

    VM environments:

    • VMware, Microsoft Hyper-V, KVM, Citrix Xen, Xen Project Hypervisor
      Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

To create and configure a FortiClient EMS connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under Core Network Security, click FortiClient EMS to display the configuration editor.
  4. Configure the following FortiClient EMS Settings:

    Setting

    Description

    NameSpecify the FortiClient Enterprise Management Server (EMS) name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
    IP/Domain nameSpecify the server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1
    HTTPS PortSpecify the FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443
  5. Click Save.
    The Verify EMS server certificate dialog displays the following message:
    In order for the FortiClient EMS and FortiADC to communicate, the following certificate provided by the FortiClient EMS must be reviewed for correctness, and accepted if deemed valid.
    Do you wish to Accept the certificate as detailed below?
  6. After you have verified the EMS server certificate information displayed, click OK to accept the EMS server certificate.
    The Verify completed dialog displays the following message:
    This FortiADC is not authorized on FortiClient EMS yet. Please let FortiClient EMS to authorize it.
    Note: This message will only appear if the FortiADC device has not yet been authorized as a Fabric Device through FortiClient EMS.
  7. Click OK.

The newly created FortiClient EMS connector is added to the Security Fabric > Fabric Connectors page, under the Core Network Security section. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.

To authorize the FortiADC as a Fabric Device in FortiClient EMS:
  1. Login to FortiClient EMS.
  2. From the FortiClient EMS landing page, the Fabric Device Authorization Requests pop-up displays the Serial Number and IP information of the FortiADC device. Click Authorize.
  3. Alternatively, you can go to Administration > Fabric Devices and select the Fabric device you want to authorize.
To check and troubleshoot the FortiClient EMS connector connection:
  1. Go to Security Fabric > Fabric Connectors.
  2. Under the Core Network Security section, locate the FortiClient EMS connector configurations.
  3. The and icons indicate whether FortiClient EMS has successfully authorized the FortiADC Fabric Device for the corresponding FortiClient EMS connector. Hover over the FortiClient EMS connector to see the status details. The table below lists the possible connection statuses for the FortiClient EMS connector.

    Icon

    EMS Status

    Description

    Connected

    The FortiADC has been successfully authorized as a Fabric Device through FortiClient EMS.

    Cert unauthorized

    FortiADC does not verify the EMS server's CA certificate. You can edit the FortiClient EMS connector configuration and restart the verification to accept the EMS CA certificate.

    Auth failed

    The EMS server does not authorize the FortiADC, indicating the request is either denied or pending authorization. If pending authorization, the status will change to Connected once authorization is successful on the EMS server.

    Not reachable

    The EMS server was not reachable. Ensure the EMS server IP and system router is properly configured.

    EMS server connection failed

    The EMS server connection failed with unknown issue. For example, an incorrect EMS server port may cause this issue.

    No compatible

    The EMS server connection failed because the server is not compatible with FortiADC.

    Not sent

    The EMS domain name cannot resolve. Ensure proper configuration for the DNS server setting, domain name, and system router.

    If the status is not Connected, edit the FortiClient EMS connector accordingly to troubleshoot the connection issue.

  4. Locate the newly created FortiClient EMS connector, click the FortiClient EMS connector configuration then click Edit, or double click the configuration object to display the configuration editor.
  5. Edit the configuration to troubleshoot the connection issue then click Authorize to restart the verification to accept the EMS CA certificate.
    A request is resent to the FortiClient EMS to authorize the FortiADC as a Fabric Device in FortiClient EMS. The FortiClient EMS connector will not be connected until the FortiADC has been authorized as a Fabric Device in FortiClient EMS.

FortiClient EMS in virtual domain configurations

Virtual domains (VDOMs) are full FortiADC instances configured within a FortiADC device. Once the FortiADC device is registered to the FortiClient EMS, the configuration settings are applied globally. Using the same ZTNA tag, each VDOM can then configure ZTNA security rules that apply individually at the VDOM level.

FortiClient EMS for High Availability configurations

In a High Availability group, both the FortiADC units must be registered to the FortiClient EMS as individual Fabric devices. However, you only need to configure the FortiClient EMS connector on one of the FortiADC units. Once the FortiClient EMS connector configuration has been completed in one of the FortiADC units in the HA group, the configuration will be synchronized to the second FortiADC unit. The Fabric Device authorization request for both FortiADC units are sent to FortiClient EMS to complete the device registration.