Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.4.8 EMS Administration Guide
    6.4.8
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Configuring EMS settings

    Configuring EMS settings

    FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

    When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site level. See Global and per-site configuration.

    To configure EMS settings:
    1. Go to System Settings > EMS Settings.
    2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

      Hostname

      Displays the FortiClient EMS server's hostname.

      Listen on IP

      Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

      You can generate a QR code for the specified IP address. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Use FQDN

      Specify an FQDN for the FortiClient EMS server.

      FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is preferable for the following reasons:

      • Easy to migrate EMS to a different IP address
      • Easy to migrate to a different EMS instance
      • Flexible to dynamically resolve the FQDN

      The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.

      Alternatively, you can use a private IP address for the connection. This configuration would require external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are not connected to VPN at that time.

      FQDN

      Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

      Remote HTTPS access

      Specify settings for remote administration access to FortiClient EMS.

      Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname field to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

      HTTPS port

      Available when Remote HTTPS Access is enabled. Displays the predefined HTTPS port. You cannot change the port.

      Pre-defined hostname

      Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

      Custom hostname

      Available when Remote HTTPS Access is enabled. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

      Redirect HTTP request to HTTPS

      Available when Remote HTTPS Access is enabled. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

      SSL certificate

      Displays the currently imported SSL certificate. If you have already uploaded an SSL certificate, a Replace button displays. The certificate must be in .pfx format, which is the same as PKCS#12. It contains the private key, along with the public key, and related certificate chain. You can create this certificate using OpenSSL. You can also export it in a Microsoft Windows system using export-pfxcertificate PowerShellcommand or certmgr. EMS calls the MSI signtool, along with the .pfx certificate provided, to sign FortiClient installers. If no certificate is provided, EMS does not sign newly generated FortiClient installers. See Adding an SSL certificate to FortiClient EMS.

      Use SSL certificate for Endpoint Control

      Enable to use the certificate uploaded in the SSL certificate field on port 8013. When this option is enabled and FortiClient tries to connect to EMS using the endpoint control protocol, EMS sends the SSL certificate so that FortiClient can use the certificate to verify the connection.

      If the SSL certificate is from a publicly signed certificate authority, only endpoints with the FortiClient 6.4.7 and later versions can connect to EMS.

      Show FortiGate Server List

      When this option is enabled, you can configure FortiGate IP addresses in a Telemetry server list to allow FortiClient to connect directly to FortiOS. FortiClient 6.4.0 and later versions cannot directly connect Telemetry to FortiOS. FortiClient 6.4.0 only connects Telemetry to EMS, which then sends FortiClient data to FortiOS. Only endpoints with FortiClient versions older than 6.4.0 installed can connect Telemetry directly to FortiOS.

      When this option is disabled, you can only configure EMS IP addresses in a Telemetry server list.

      Reset Stalled Deployment Interval

      Enter number of hours after which to reset stalled deployments.

    3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing Windows, macOS, and Linux endpoints:

      Listen on port

      Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

      Enable TLS 1.0/1.1

      Enable TLS 1.0 and 1.1 for file downloads.

      You must enable this option when upgrading FortiClient on a Windows 7 device via FortiClient EMS.

      FortiClient download URL

      FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

      Open port 10443 in Windows Firewall

      Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

      Sign software packages

      Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

      Timestamp server

      Enter the server address to timestamp software installers with.

      Certificate

      Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

      Password

      Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

      Enable Managed by EMS

      Select an option from the dropdown list. Users can configure this IP address in Shared Settings > Listen on IP.

      Connect to local subnets only

      Only allow connection to local subnets.

      Notify FortiGate

      Enter the FortiGates IP address(es) or hostname(s). You can also use an FQDN.

      Press the Enter key to add additional entries.

      This option is only available if you enable Show FortiGate Server List.

      Use connection key

      Enable the connection key endpoints can use to connect to FortiGates. Enter and reenter the connection key.

      Enable login banner

      When you enable the login banner, a message appears prior to a user logging into FortiClient EMS. In the Message field, type your message. The Preview section displays a preview of the message.

    4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
    5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

      Listen on port

      Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

      User inactivity timeout

      Enter the number of hours of inactivity after which to timeout the user.

      Profile update interval

      Specify the profile update interval (in seconds).

      SSL certificate

      Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

      Certificate

      Browse and upload a new SSL certificate file. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints.

      Password

      Configure a new SSL password.

      Service account

      Displays the service account ID currently in use.

      Update service account

      Update the service account with new credentials.

      Reset service account

      In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

      ID

      Available if the Update service account button is clicked. Enter a new service account ID.

      Private key

      Available if the Update service account button is clicked. Upload a new service account private key.

    6. Configure the following options under Endpoints Settings:

      FortiClient telemetry connection key

      Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient must provide this key during connection.

      You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Keep alive interval

      Each connected FortiClient endpoint sends a short keep-alive (KA) message to FortiClient EMS at the specified interval.

      Full keep alive interval

      Each connected FortiClient endpoint sends a full KA message to FortiClient EMS at the specified interval.

      License timeout

      Endpoints become unregistered after the configured license timeout. EMS keeps these endpoint records until the EMS administrator manually deletes them or marks them as uninstalled.

      Automatically upload avatars

      FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiClient EMS servers it is connected to.

      Enable endpoint snapshot reports

      Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds.

    7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
    8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the FSSO protocol between EMS and FortiOS.

      SSL certificate

      Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

      Configure FSSO Password

      Configure a new SSL password.

    9. Click Save.
    Previous
    Next

    Configuring EMS settings

    Configuring EMS settings

    FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

    When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site level. See Global and per-site configuration.

    To configure EMS settings:
    1. Go to System Settings > EMS Settings.
    2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

      Hostname

      Displays the FortiClient EMS server's hostname.

      Listen on IP

      Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

      You can generate a QR code for the specified IP address. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Use FQDN

      Specify an FQDN for the FortiClient EMS server.

      FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is preferable for the following reasons:

      • Easy to migrate EMS to a different IP address
      • Easy to migrate to a different EMS instance
      • Flexible to dynamically resolve the FQDN

      The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.

      Alternatively, you can use a private IP address for the connection. This configuration would require external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are not connected to VPN at that time.

      FQDN

      Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

      Remote HTTPS access

      Specify settings for remote administration access to FortiClient EMS.

      Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname field to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

      HTTPS port

      Available when Remote HTTPS Access is enabled. Displays the predefined HTTPS port. You cannot change the port.

      Pre-defined hostname

      Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

      Custom hostname

      Available when Remote HTTPS Access is enabled. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

      Redirect HTTP request to HTTPS

      Available when Remote HTTPS Access is enabled. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

      SSL certificate

      Displays the currently imported SSL certificate. If you have already uploaded an SSL certificate, a Replace button displays. The certificate must be in .pfx format, which is the same as PKCS#12. It contains the private key, along with the public key, and related certificate chain. You can create this certificate using OpenSSL. You can also export it in a Microsoft Windows system using export-pfxcertificate PowerShellcommand or certmgr. EMS calls the MSI signtool, along with the .pfx certificate provided, to sign FortiClient installers. If no certificate is provided, EMS does not sign newly generated FortiClient installers. See Adding an SSL certificate to FortiClient EMS.

      Use SSL certificate for Endpoint Control

      Enable to use the certificate uploaded in the SSL certificate field on port 8013. When this option is enabled and FortiClient tries to connect to EMS using the endpoint control protocol, EMS sends the SSL certificate so that FortiClient can use the certificate to verify the connection.

      If the SSL certificate is from a publicly signed certificate authority, only endpoints with the FortiClient 6.4.7 and later versions can connect to EMS.

      Show FortiGate Server List

      When this option is enabled, you can configure FortiGate IP addresses in a Telemetry server list to allow FortiClient to connect directly to FortiOS. FortiClient 6.4.0 and later versions cannot directly connect Telemetry to FortiOS. FortiClient 6.4.0 only connects Telemetry to EMS, which then sends FortiClient data to FortiOS. Only endpoints with FortiClient versions older than 6.4.0 installed can connect Telemetry directly to FortiOS.

      When this option is disabled, you can only configure EMS IP addresses in a Telemetry server list.

      Reset Stalled Deployment Interval

      Enter number of hours after which to reset stalled deployments.

    3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing Windows, macOS, and Linux endpoints:

      Listen on port

      Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

      Enable TLS 1.0/1.1

      Enable TLS 1.0 and 1.1 for file downloads.

      You must enable this option when upgrading FortiClient on a Windows 7 device via FortiClient EMS.

      FortiClient download URL

      FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

      Open port 10443 in Windows Firewall

      Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

      Sign software packages

      Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

      Timestamp server

      Enter the server address to timestamp software installers with.

      Certificate

      Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

      Password

      Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

      Enable Managed by EMS

      Select an option from the dropdown list. Users can configure this IP address in Shared Settings > Listen on IP.

      Connect to local subnets only

      Only allow connection to local subnets.

      Notify FortiGate

      Enter the FortiGates IP address(es) or hostname(s). You can also use an FQDN.

      Press the Enter key to add additional entries.

      This option is only available if you enable Show FortiGate Server List.

      Use connection key

      Enable the connection key endpoints can use to connect to FortiGates. Enter and reenter the connection key.

      Enable login banner

      When you enable the login banner, a message appears prior to a user logging into FortiClient EMS. In the Message field, type your message. The Preview section displays a preview of the message.

    4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
    5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

      Listen on port

      Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

      User inactivity timeout

      Enter the number of hours of inactivity after which to timeout the user.

      Profile update interval

      Specify the profile update interval (in seconds).

      SSL certificate

      Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

      Certificate

      Browse and upload a new SSL certificate file. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints.

      Password

      Configure a new SSL password.

      Service account

      Displays the service account ID currently in use.

      Update service account

      Update the service account with new credentials.

      Reset service account

      In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

      ID

      Available if the Update service account button is clicked. Enter a new service account ID.

      Private key

      Available if the Update service account button is clicked. Upload a new service account private key.

    6. Configure the following options under Endpoints Settings:

      FortiClient telemetry connection key

      Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient must provide this key during connection.

      You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Keep alive interval

      Each connected FortiClient endpoint sends a short keep-alive (KA) message to FortiClient EMS at the specified interval.

      Full keep alive interval

      Each connected FortiClient endpoint sends a full KA message to FortiClient EMS at the specified interval.

      License timeout

      Endpoints become unregistered after the configured license timeout. EMS keeps these endpoint records until the EMS administrator manually deletes them or marks them as uninstalled.

      Automatically upload avatars

      FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiClient EMS servers it is connected to.

      Enable endpoint snapshot reports

      Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds.

    7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
    8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the FSSO protocol between EMS and FortiOS.

      SSL certificate

      Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

      Configure FSSO Password

      Configure a new SSL password.

    9. Click Save.
    Previous
    Next