EMS Administration Guide

Introduction
- FortiClient EMS components
- Documentation
Getting started
- Getting started with managing Windows, macOS, and Linux endpoints
- Getting started with managing Chromebooks
Installation preparation
- System requirements
- License types
  - FortiClient EMS
  - Component applications
- Required services and ports
- Management capacity
- FortiClient Telemetry security features
- Server readiness checklist for installation
- Upgrading from an earlier FortiClient EMS version
- Install preparation for managing Chromebooks
Installation and licensing
- Downloading the installation file
- Installing FortiClient EMS
- Installing FortiClient EMS using the CLI
- Starting FortiClient EMS and logging in
- Configuring EMS after installation
- Licensing FortiClient EMS
- Specifying different ports
- Upgrading Microsoft SQL Server Express to Microsoft SQL Server Standard or Enterprise
- Uninstalling FortiClient EMS
- Installation and setup for managing Chromebooks
  - Google Admin Console setup
  - Service account credentials
    - Configuring default service account credentials
    - Configuring unique service account credentials
- Verifying ports and services and connection between EMS and FortiClient
GUI
- Banner
- Left pane
- Content pane
Dashboard
- Viewing the Status
- Viewing the Vulnerability Scan dashboard
- Viewing Chromebook Status
Endpoint management
- Windows, macOS, and Linux endpoints
- Group assignment rules
- Google Domains
Deployment & Installers
- Manage Deployment
- FortiClient Installer
Endpoint Policy & Components
- Manage Policies
- CA Certificates
- On-fabric Detection Rules
Chromebook Policy
Endpoint Profiles
- Editing a default profile
- Creating a profile to configure FortiClient
- Adding a new Chromebook profile
- Viewing profiles
- Managing profiles
- Profile Name
- Malware Protection
- Sandbox Detection
- Web Filter
  - Importing a Web Filter profile from FortiOS or FortiManager
  - Enabling and disabling Safe Search
- Application Firewall
- VPN
- Vulnerability Scan
- System Settings
  - Configuring identity compliance for endpoints
- XML Configuration
  - Importing a profile from an XML file
  - Creating a profile with XML
Zero Trust Tags
- Zero Trust Tagging Rules
- Zero Trust Tag Monitor
- FortiOS dynamic policies using EMS dynamic endpoint groups
- Fabric Device Monitor
Software Inventory
- Applications
- Hosts
Quarantine Management
- Files
- Allowlist
Administration
- Administrators
- Admin roles
- Configuring User Settings
- Fabric Devices
  - Configuring EMS to share tagging information with multiple FortiGates
- SAML SSO
- Licenses
- Log Viewer
- Marking all endpoints as uninstalled
System Settings
- Configuring EMS settings
  - Adding an SSL certificate to FortiClient EMS
  - Adding an SSL certificate to FortiClient EMS for Chromebook endpoints
- Configuring Logs settings
- Configuring FortiGuard Services settings
- Alerts
- Custom Messages
  - Customizing the endpoint quarantine message
  - Customizing Web Filter messages
- Feature Select
- Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints
Multitenancy
- Enabling and configuring multitenancy
- Global and per-site configuration
- Left pane with multitenancy enabled
- Editing a site
- Adding a multitenancy administrator
- Logging into EMS with multitenancy enabled
Creating a support package
Migrating to another EMS instance
Appendix A - Examples
- Support banned word check in URL

Home FortiClient 6.4.7 EMS Administration Guide

6.4.7

Required services and ports

You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Telemetry	FortiClient endpoint management	TCP	8013 (default)	Incoming	Installer/GUI
Samba (SMB) service	FortiClient EMS uses the SMB service during FortiClient initial deployment.	TCP	445	Outgoing	N/A
Distributed Computing Environment / Remote Procedure Calls (DCE/RPC)	FortiClient EMS connects to endpoints using RPC for FortiClient initial deployment.	TCP	135 1024-5000* 49152-65535*	Outgoing	You can configure ranges noted with *. See How to configure RPC dynamic port allocation to work with firewalls.
Active Directory server connection	Retrieving workstation and user information	TCP	389 (LDAP) or 636 (LDAPS)	Outgoing	GUI
FortiClient download	Downloading FortiClient deployment packages created by FortiClient EMS	TCP	10443 (default)	Incoming	Installer
Apache/HTTPS	Web access to FortiClient EMS	TCP	443	Incoming	Installer
SMTP server/email	Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.	TCP	25 (default)	Outgoing	GUI
FortiClient endpoint probing	FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.	ICMP	N/A	Outgoing	N/A
FSSO	Connection to FortiOS.	TCP	8000	Incoming	N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient on Chrome OS	Connecting to FortiClient EMS	TCP	8443 (default) You can customize this port.	Incoming	GUI
Google Workspace API/Google domain directory	Retrieving Google domain information using API calls	TCP	443	Outgoing	N/A

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient EMS	Connecting to the profile server	TCP	8443 (default)	Outgoing	Via Google Admin console when adding the profile
FortiGuard	Rating URLs	TCP	443, 3400	Outgoing	N/A

FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:

Usage	Server URL			Protocol	Port	Incoming/Outgoing	How to customize
AV/vulnerability signature update	forticlient.fortinet.net myforticlient.fortinet.net	usforticlient.fortinet.net	N/A	TCP	80	Outgoing	N/A
AV/vulnerability signature updates with FortiGuard Anycast	fctupdate.fortinet.net	fctusupdate.fortinet.net	fcteuupdate.fortinet.net	TCP	443	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.

Required services and ports

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient Telemetry	FortiClient endpoint management	TCP	8013 (default)	Incoming	Installer/GUI
Samba (SMB) service	FortiClient EMS uses the SMB service during FortiClient initial deployment.	TCP	445	Outgoing	N/A
Distributed Computing Environment / Remote Procedure Calls (DCE/RPC)	FortiClient EMS connects to endpoints using RPC for FortiClient initial deployment.	TCP	135 1024-5000* 49152-65535*	Outgoing	You can configure ranges noted with *. See How to configure RPC dynamic port allocation to work with firewalls.
Active Directory server connection	Retrieving workstation and user information	TCP	389 (LDAP) or 636 (LDAPS)	Outgoing	GUI
FortiClient download	Downloading FortiClient deployment packages created by FortiClient EMS	TCP	10443 (default)	Incoming	Installer
Apache/HTTPS	Web access to FortiClient EMS	TCP	443	Incoming	Installer
SMTP server/email	Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.	TCP	25 (default)	Outgoing	GUI
FortiClient endpoint probing	FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.	ICMP	N/A	Outgoing	N/A
FSSO	Connection to FortiOS.	TCP	8000	Incoming	N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient on Chrome OS	Connecting to FortiClient EMS	TCP	8443 (default) You can customize this port.	Incoming	GUI
Google Workspace API/Google domain directory	Retrieving Google domain information using API calls	TCP	443	Outgoing	N/A

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication	Usage	Protocol	Port	Incoming/Outgoing	How to customize
FortiClient EMS	Connecting to the profile server	TCP	8443 (default)	Outgoing	Via Google Admin console when adding the profile
FortiGuard	Rating URLs	TCP	443, 3400	Outgoing	N/A

Usage	Server URL			Protocol	Port	Incoming/Outgoing	How to customize
AV/vulnerability signature update	forticlient.fortinet.net myforticlient.fortinet.net	usforticlient.fortinet.net	N/A	TCP	80	Outgoing	N/A
AV/vulnerability signature updates with FortiGuard Anycast	fctupdate.fortinet.net	fctusupdate.fortinet.net	fcteuupdate.fortinet.net	TCP	443	Outgoing	N/A

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

Required services and ports

Required services and ports

Required services and ports

Required services and ports