Configuring Server settings
FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.
- Go to System Settings > Server.
- Configure the following options under Shared Settings. These settings are shared between FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:
Hostname
Displays the FortiClient EMS server's hostname.
Listen on IP
Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.
Use FQDN
Turn on to specify a fully qualified domain name (FQDN) for the FortiClient EMS server.
FQDN
Displayed when Use FQDN is turned on. Enter the FQDN for the FortiClient EMS server. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.
Remote HTTPS access
Specify settings for remote administration access to FortiClient EMS.
Turn remote HTTPS access to FortiClient EMS console on and off. When enabled, enter a hostname in the Custom Host Name box to let administrators use a browser and HTTPS to log into the FortiClient EMS console. When disabled, administrators can only log into FortiClient EMS console on the server.
Pre-defined hostname
Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined hostname. The name cannot be changed.
Custom hostname
Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.
Redirect HTTP request to HTTPS
Available when Remote Administration HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access EMS at http://<server_name>, this is automatically redirected to https://<server_name>.
SSL certificate
Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.
Certificate
Browse and upload a new SSL certificate file.
Configure a new SSL password.
- Configure the following options under EMS Settings. These settings are used by FortiClient EMS managing Windows, macOS, and Linux endpoints:
Listen on port
Displays the default port for the FortiClient EMS server. You can change the port by typing a new port number. FortiClient connects using the specified port number.
DHCP onnet/offnet
Enable to monitor endpoints within the company network (on-net). Endpoints that are connected to FortiClient EMS from outside the company network are off-net endpoints. For more information, see Determining on-net/off-net status below.
Enable TLS 1.0/1.1
Enable TLS 1.0 and 1.1 for file downloads.
Note this option must be enabled when upgrading FortiClient on a Windows 7 device via EMS.
FortiClient download URL
FortiClient installers created in FortiClient EMS will be made available for download at the URL.
Open port 10443 in Windows Firewall
Turn on to open port 10443, and turn off to close port 10443. Port 10443 is used to download FortiClient.
Sign software packages
Enable this option to have Windows FortiClient software installers created by or uploaded to EMS digitally signed with a code signing certificate.
Timestamp server
Enter the server address to timestamp software installers with.
Certificate
Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.
Password
Enter the certificate password. This is required for EMS to sign the software installers with the certificate.
- If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
- Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:
Listen on port
Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.
User inactivity timeout
Enter the number of hours of inactivity after which to timeout the user.
Profile update interval
Specify the profile update interval (in seconds).
SSL certificate
Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.
Certificate
Browse and upload a new SSL certificate file. See Adding SSL certificates to FortiClient EMS for Chromebook endpoints.
Password
Configure a new SSL password.
Service account
Displays the service account ID currently in use.
Update service account
Update the service account with new credentials.
Reset service account
In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You need to Save the settings for the change to take effect.
ID
Available if the Update service account button is clicked. Enter a new service account ID.
Private key
Available if the Update service account button is clicked. Upload a new service account private key.
- Click Save.
Determining on-net/off-net status
There are two settings in EMS that affect the FortiClient on-net/off-net status:
- DHCP onnet/offnet in System Settings > Server. See Configuring Server settings on page 1.
- System Settings > Endpoint Control > On-Net Subnets on the endpoint's assigned profile. See System Settings on page 1.
The table below shows how the DHCP onnet/offnet and On-Net Subnets settings and Option 224 serial number affect the endpoint's on-net/off-net status. Option 224 can be configured with any Fortinet device's serial number. EMS assumes FortiClient is behind a FortiGate and on-net with that FortiGate.
DHCP onnet/offnet |
On-Net Subnets |
Option 224 serial number |
Resulting endpoint status |
---|---|---|---|
Disabled |
Disabled |
N/A |
When on-net subnets are not configured, on-net/off-net status is related to the endpoint's online/offline status (whether it is connected to EMS). An online status causes the endpoint to be on-net, while an offline status causes the endpoint to be off-net. |
Enabled |
Disabled |
Not configured |
Same as above. |
Enabled |
Disabled |
Configured |
On-net Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-net with that FortiGate. |
Disabled or enabled |
Enabled, with subnet configured. Endpoint IP address is in the configured subnet. |
Configured or not |
On-net The endpoint is inside the on-net networks configured in On-Net Subnets. |
Disabled or enabled |
Enabled, with subnet configured. Endpoint IP address is not in the configured subnet. |
Configured or not |
Off-net The endpoint is outside the on-net networks configured in On-Net Subnets. |
The following are examples on how FortiClient determines the endpoint when FortiClient is connected to EMS only. For details on how FortiClient determines on-net/off-net status in managed mode with FortiGate and , see the FortiClient Administration Guide.
An endpoint has an offline off-net status when it cannot connect FortiClient Telemetry to EMS and is outside one of the on-net networks.
An endpoint has an offline on-net status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks.