Fortinet black logo

Administration Guide

Endpoint communication security improvement

Endpoint communication security improvement

FortiClient Endpoint Management Server (EMS) and FortiClient 7.0.2 add an improvement to endpoint communication security.

FortiClient connects to EMS using Telemetry to:

  • Obtain license information
  • Send endpoint and management information to EMS
  • Receive endpoint configuration
  • Receive endpoint commands, the results of which it can send to EMS
  • Other similar tasks

The connection from FortiClient to EMS uses TCP and TLS 1.3. During the SSL connection setup, EMS sends a server certificate to FortiClient. The certificate that EMS sends to FortiClient is the one configured in EMS Settings > Shared Settings > SSL certificate. See Adding an SSL certificate to FortiClient EMS.

In 7.0.1 and earlier versions, FortiClient checks the certificate subject name received from EMS to confirm its validity. In 7.0.2, the certificate validation follows industry standards:

  • Domain or fully qualified domain name (FQDN) that FortiClient is connecting to matches the domain to which the certificate is issued.
    • Validation process correctly handles wildcards in the domain name in the certificate.
    • Validation process considers both the common name (CN) in the subject or subject alternative name (SAN).
  • The certificate expiry date is in the future. The certificate has not expired.
  • The certificate issuer or the root certificate in the certificate chain is from a publicly trusted certificate authority (CA). Trusted CAs are read from the operating system.

The new endpoint communication security feature allows the EMS administrator to configure endpoint profiles to take different actions based on the validity of the certificate that FortiClient receives from EMS. The EMS administrator configures this feature by enabling Use SSL certificate for Endpoint Control in EMS and configuring the desired Invalid Certificate Action for each endpoint profile.

Caution

When Use SSL certificate for Endpoint Control is enabled, FortiClient 7.0.1 and earlier versions cannot connect to EMS. Following the recommended upgrade path as detailed in the following procedure is recommended to ensure that endpoints can connect to EMS. See Recommended upgrade path.

The following describes the behavior when Use SSL certificate for Endpoint Control is enabled:

  • If the EMS server certificate is valid, FortiClient silently connects without displaying a message. This is the same connection behavior from 7.0.1 and earlier versions.
  • If the EMS server certificate is invalid:
    • If the Invalid Certificate Action is configured as Warn, FortiClient displays a warning message to the end user. The message warns the user that the EMS to which FortiClient is attempting to connect to has provided an invalid server certificate. The message offers options to allow or deny the connection:
      • If the user allows the connection, FortiClient connects to EMS and remembers the certificate for this EMS. FortiClient no longer prompts the user each time that it connects to this EMS.
      • If the user denies the connection, FortiClient does not connect to EMS by canceling the connection. The next time that the user tries to connect to the same EMS and the server certificate is still invalid, FortiClient displays the same message again.

    • If the Invalid Certificate Action is configured as Allow, FortiClient connects to EMS.

    • If the Invalid Certificate Action is configured as Deny, FortiClient does not connect to EMS.

When Use SSL certificate for Endpoint Control is disabled, EMS sends the FortiCare certificate for endpoint control connections to FortiClient. FortiClient considers this certificate invalid and follows the configured Invalid Certificate Action.

Endpoint communication security improvement

FortiClient Endpoint Management Server (EMS) and FortiClient 7.0.2 add an improvement to endpoint communication security.

FortiClient connects to EMS using Telemetry to:

  • Obtain license information
  • Send endpoint and management information to EMS
  • Receive endpoint configuration
  • Receive endpoint commands, the results of which it can send to EMS
  • Other similar tasks

The connection from FortiClient to EMS uses TCP and TLS 1.3. During the SSL connection setup, EMS sends a server certificate to FortiClient. The certificate that EMS sends to FortiClient is the one configured in EMS Settings > Shared Settings > SSL certificate. See Adding an SSL certificate to FortiClient EMS.

In 7.0.1 and earlier versions, FortiClient checks the certificate subject name received from EMS to confirm its validity. In 7.0.2, the certificate validation follows industry standards:

  • Domain or fully qualified domain name (FQDN) that FortiClient is connecting to matches the domain to which the certificate is issued.
    • Validation process correctly handles wildcards in the domain name in the certificate.
    • Validation process considers both the common name (CN) in the subject or subject alternative name (SAN).
  • The certificate expiry date is in the future. The certificate has not expired.
  • The certificate issuer or the root certificate in the certificate chain is from a publicly trusted certificate authority (CA). Trusted CAs are read from the operating system.

The new endpoint communication security feature allows the EMS administrator to configure endpoint profiles to take different actions based on the validity of the certificate that FortiClient receives from EMS. The EMS administrator configures this feature by enabling Use SSL certificate for Endpoint Control in EMS and configuring the desired Invalid Certificate Action for each endpoint profile.

Caution

When Use SSL certificate for Endpoint Control is enabled, FortiClient 7.0.1 and earlier versions cannot connect to EMS. Following the recommended upgrade path as detailed in the following procedure is recommended to ensure that endpoints can connect to EMS. See Recommended upgrade path.

The following describes the behavior when Use SSL certificate for Endpoint Control is enabled:

  • If the EMS server certificate is valid, FortiClient silently connects without displaying a message. This is the same connection behavior from 7.0.1 and earlier versions.
  • If the EMS server certificate is invalid:
    • If the Invalid Certificate Action is configured as Warn, FortiClient displays a warning message to the end user. The message warns the user that the EMS to which FortiClient is attempting to connect to has provided an invalid server certificate. The message offers options to allow or deny the connection:
      • If the user allows the connection, FortiClient connects to EMS and remembers the certificate for this EMS. FortiClient no longer prompts the user each time that it connects to this EMS.
      • If the user denies the connection, FortiClient does not connect to EMS by canceling the connection. The next time that the user tries to connect to the same EMS and the server certificate is still invalid, FortiClient displays the same message again.

    • If the Invalid Certificate Action is configured as Allow, FortiClient connects to EMS.

    • If the Invalid Certificate Action is configured as Deny, FortiClient does not connect to EMS.

When Use SSL certificate for Endpoint Control is disabled, EMS sends the FortiCare certificate for endpoint control connections to FortiClient. FortiClient considers this certificate invalid and follows the configured Invalid Certificate Action.