Configuring EMS after installation
You can configure an FQDN for EMS.
FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is preferable for the following reasons:
- Easy to migrate EMS to a different IP address
- Easy to migrate to a different EMS instance
- Flexible to dynamically resolve the FQDN
The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This configuration would require external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are not connected to VPN at that time.
You can also configure FortiClient EMS so that you can access it remotely using a web browser instead of the GUI.
To enable remote access to FortiClient EMS:
- Go to System Settings > EMS Settings.
- Enable Use FQDN. In the FQDN field, enter the desired FQDN.
- If desired, in the Custom hostname field, enter the hostname or IP address. Otherwise, EMS uses the Pre-defined hostname.
- If desired, select the Redirect HTTP request to HTTPS checkbox. If this option is enabled, if you attempt to remotely access EMS at http://<server_name>, this automatically redirects to https://<server_name>.
- Click Save.
To remotely access FortiClient EMS:
- To access EMS from the EMS server, visit
https://localhost
- To access the server remotely, use the server's hostname:
https://<server_name>
Ensure you can ping
<server_name>
remotely. You can achieve this by adding it into a DNS entry or to the Windows hosts file. You may need to modify the Windows firewall rules to allow the connection.