Fortinet white logo
Fortinet white logo

Administration Guide

Recommended upgrade path

Recommended upgrade path

Existing FortiClient and EMS users may have a mixture of 6.4.7 and older versions in production. The new endpoint security improvement feature is only available for EMS 6.4.7 and later versions. The EMS administrator configures this feature by enabling Use SSL certificate for Endpoint Control in EMS and configuring the desired Invalid Certificate Action for each endpoint profile. When the endpoint security improvement feature is enabled in EMS, only FortiClient 6.4.7 and later versions can connect. Therefore, upgrading all FortiClient endpoints to 6.4.7 is recommended.

Caution

When Use SSL certificate for Endpoint Control is enabled on EMS, FortiClient 6.4.6 and earlier versions cannot connect to EMS. Following the recommended upgrade path as detailed in the following procedure is recommended to ensure that endpoints can connect to EMS.

Caution

FortiOS connects to EMS using the configured Fabric connector. Whenever the SSL certificate changes on EMS, you must reauthorize the EMS certificate in FortiOS.

Following is the recommended upgrade path for when FortiClient and/or EMS older than 6.4.7 exists in production. You must complete the following steps:

  1. Upgrade EMS to 6.4.7.
  2. Upgrade FortiClient to 6.4.7.
  3. Apply a valid certificate to EMS.
  4. Configure the invalid certificate action as warn.
To upgrade EMS to 6.4.7:
  1. Upgrade EMS to 6.4.7 as the Upgrade Path describes.
  2. Go to System Settings > EMS Settings.
  3. Disable Use SSL certificate for Endpoint Control.

  4. Go to Endpoint Profiles > Manage Profiles.
  5. Select a profile.
  6. On the System Settings tab, configure Invalid Certificate Action as Allow.
  7. Save the configuration.

  8. Repeat steps 4-7 for all profiles.

To upgrade FortiClient to 6.4.7:
  1. Create an installer:
    1. In EMS, go to Deployment & Installers > FortiClient Installer.
    2. Click Add.
    3. On the Version tab, select Choose a custom installer.
    4. Select an existing FortiClient 6.4.7 custom installer from the Custom Installer dropdown list, or use the Add Installer option to add a new 6.4.7 installer.
    5. Click Next.
    6. In the Name and Notes fields, enter the desired values. Click Next.
    7. On the Features tab, enable all desired features. Click Next.
    8. On the Advanced tab, from the Invalid Certificate Action dropdown list, select Allow. Configure other fields as desired, then click Next.

    9. Click Finish.
  2. Create a deployment configuration:
    1. Go to Deployment & Installers > Manage Deployment.
    2. Click Add.
    3. In the Endpoint Groups field, click Edit. In the Add Endpoint Groups dialog, select all groups that contain endpoints to upgrade to 6.4.7.
    4. For Action, select Install.
    5. From the Deployment Package dropdown list, select the package that you created earlier.
    6. Enable Start at a Scheduled Time and configure the desired time.
    7. Ensure that Enable the Deployment is enabled.
    8. Configure other fields as desired, then save the deployment configuration.

      At the scheduled time, EMS deploys the FortiClient 6.4.7 upgrade to all endpoints groups that you configured for the deployment. FortiClient upgrades to 6.4.7 on the endpoints. After upgrade, FortiClient reconnects to EMS. FortiClient does not display an error or warning as it reconnects to EMS.

To apply a valid certificate to EMS:
  1. In EMS, go to System Settings > EMS Settings.
  2. You can add an SSL certificate to EMS in one of the following ways:

    Method

    Description

    Automated

    The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority to provide free SSL server certificates. You can configure EMS to use certificates that are managed by Let's Encrypt.

    Upload

    Manually upload an SSL certificate.

    For either method, you must ensure that the certificate satisfies the criteria in Endpoint communication security improvement to ensure that communication between FortiClient and EMS is secure.

    Do one of the following:

    1. Configure an automated SSL certificate:
      1. Go to System Settings > EMS Settings.
      2. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled.
      3. Ensure that ports 80 and 443 are accessible from the Internet by going to https://<EMS FQDN> in a browser. If the ports are accessible, the browser displays the EMS login page.

      4. In the SSL certificate field, click the Import SSL certificate button.
      5. Select Automated.
      6. In the Domain field, enter the EMS FQDN. For the Let's Encrypt server to issue the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
      7. In the Email field, enter a valid email address.
      8. If desired, enable Auto Renew. When Auto Renew is enabled, EMS automatically renews the certificate before expiry.
      9. Select the checkbox to agree to Let's Encrypt's terms of service. Click Import.

    2. Manually upload an SSL certificate:
      1. Go to System Settings > EMS Settings.
      2. In the SSL certificate field, click the Import SSL certificate button.
      3. Select Upload.
      4. In the Certificate field, browse to and select the desired certificate.
      5. In the Certificate Password field, configure the desired password for the certificate.
      6. Click Upload.
  3. After all endpoints have upgraded to FortiClient 6.4.7 and EMS is using a valid certificate, go to System Settings > EMS Settings and enable Use SSL certificate for Endpoint Control. When you enable this option, endpoints still running FortiClient 6.4.6 and older versions can no longer connect to this EMS. If they were previously connected, they now show as offline.

To configure the invalid certificate action as warn:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. Select a profile.
  3. On the System Settings tab, configure Invalid Certificate Action as Warn.
  4. Save the profile.
  5. After FortiClient receives the configuration change, observe if FortiClient displays a warning about the certificate being invalid. If you do not observe connection issues when Invalid Certificate Action is set to Warn, you can optionally change the setting to Deny.

Recommended upgrade path

Recommended upgrade path

Existing FortiClient and EMS users may have a mixture of 6.4.7 and older versions in production. The new endpoint security improvement feature is only available for EMS 6.4.7 and later versions. The EMS administrator configures this feature by enabling Use SSL certificate for Endpoint Control in EMS and configuring the desired Invalid Certificate Action for each endpoint profile. When the endpoint security improvement feature is enabled in EMS, only FortiClient 6.4.7 and later versions can connect. Therefore, upgrading all FortiClient endpoints to 6.4.7 is recommended.

Caution

When Use SSL certificate for Endpoint Control is enabled on EMS, FortiClient 6.4.6 and earlier versions cannot connect to EMS. Following the recommended upgrade path as detailed in the following procedure is recommended to ensure that endpoints can connect to EMS.

Caution

FortiOS connects to EMS using the configured Fabric connector. Whenever the SSL certificate changes on EMS, you must reauthorize the EMS certificate in FortiOS.

Following is the recommended upgrade path for when FortiClient and/or EMS older than 6.4.7 exists in production. You must complete the following steps:

  1. Upgrade EMS to 6.4.7.
  2. Upgrade FortiClient to 6.4.7.
  3. Apply a valid certificate to EMS.
  4. Configure the invalid certificate action as warn.
To upgrade EMS to 6.4.7:
  1. Upgrade EMS to 6.4.7 as the Upgrade Path describes.
  2. Go to System Settings > EMS Settings.
  3. Disable Use SSL certificate for Endpoint Control.

  4. Go to Endpoint Profiles > Manage Profiles.
  5. Select a profile.
  6. On the System Settings tab, configure Invalid Certificate Action as Allow.
  7. Save the configuration.

  8. Repeat steps 4-7 for all profiles.

To upgrade FortiClient to 6.4.7:
  1. Create an installer:
    1. In EMS, go to Deployment & Installers > FortiClient Installer.
    2. Click Add.
    3. On the Version tab, select Choose a custom installer.
    4. Select an existing FortiClient 6.4.7 custom installer from the Custom Installer dropdown list, or use the Add Installer option to add a new 6.4.7 installer.
    5. Click Next.
    6. In the Name and Notes fields, enter the desired values. Click Next.
    7. On the Features tab, enable all desired features. Click Next.
    8. On the Advanced tab, from the Invalid Certificate Action dropdown list, select Allow. Configure other fields as desired, then click Next.

    9. Click Finish.
  2. Create a deployment configuration:
    1. Go to Deployment & Installers > Manage Deployment.
    2. Click Add.
    3. In the Endpoint Groups field, click Edit. In the Add Endpoint Groups dialog, select all groups that contain endpoints to upgrade to 6.4.7.
    4. For Action, select Install.
    5. From the Deployment Package dropdown list, select the package that you created earlier.
    6. Enable Start at a Scheduled Time and configure the desired time.
    7. Ensure that Enable the Deployment is enabled.
    8. Configure other fields as desired, then save the deployment configuration.

      At the scheduled time, EMS deploys the FortiClient 6.4.7 upgrade to all endpoints groups that you configured for the deployment. FortiClient upgrades to 6.4.7 on the endpoints. After upgrade, FortiClient reconnects to EMS. FortiClient does not display an error or warning as it reconnects to EMS.

To apply a valid certificate to EMS:
  1. In EMS, go to System Settings > EMS Settings.
  2. You can add an SSL certificate to EMS in one of the following ways:

    Method

    Description

    Automated

    The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority to provide free SSL server certificates. You can configure EMS to use certificates that are managed by Let's Encrypt.

    Upload

    Manually upload an SSL certificate.

    For either method, you must ensure that the certificate satisfies the criteria in Endpoint communication security improvement to ensure that communication between FortiClient and EMS is secure.

    Do one of the following:

    1. Configure an automated SSL certificate:
      1. Go to System Settings > EMS Settings.
      2. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled.
      3. Ensure that ports 80 and 443 are accessible from the Internet by going to https://<EMS FQDN> in a browser. If the ports are accessible, the browser displays the EMS login page.

      4. In the SSL certificate field, click the Import SSL certificate button.
      5. Select Automated.
      6. In the Domain field, enter the EMS FQDN. For the Let's Encrypt server to issue the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
      7. In the Email field, enter a valid email address.
      8. If desired, enable Auto Renew. When Auto Renew is enabled, EMS automatically renews the certificate before expiry.
      9. Select the checkbox to agree to Let's Encrypt's terms of service. Click Import.

    2. Manually upload an SSL certificate:
      1. Go to System Settings > EMS Settings.
      2. In the SSL certificate field, click the Import SSL certificate button.
      3. Select Upload.
      4. In the Certificate field, browse to and select the desired certificate.
      5. In the Certificate Password field, configure the desired password for the certificate.
      6. Click Upload.
  3. After all endpoints have upgraded to FortiClient 6.4.7 and EMS is using a valid certificate, go to System Settings > EMS Settings and enable Use SSL certificate for Endpoint Control. When you enable this option, endpoints still running FortiClient 6.4.6 and older versions can no longer connect to this EMS. If they were previously connected, they now show as offline.

To configure the invalid certificate action as warn:
  1. In EMS, go to Endpoint Profiles > Manage Profiles.
  2. Select a profile.
  3. On the System Settings tab, configure Invalid Certificate Action as Warn.
  4. Save the profile.
  5. After FortiClient receives the configuration change, observe if FortiClient displays a warning about the certificate being invalid. If you do not observe connection issues when Invalid Certificate Action is set to Warn, you can optionally change the setting to Deny.