Configuring EMS HA
To configure EMS HA:
- Install SQL Server Management Studio on EMS-1 and EMS-2. This is necessary to create a SQL user later in the configuration process. It is also useful to test database connectivity prior to the installation.
- From any server that can connect to the newly created database, log in to the database using SQL Server Management Studio. Use the credentials that you configured in Configuring Microsoft SQL database clustering. The example also uses EMS-1 to test connectivity.
- Create a SQL user:
- In Object Explorer, right-click Logins, then select New Login.
- Select SQL Server authentication.
- Enter the desired password.
- Deselect Enforce password policy.
- On the Server Roles page, select sysadmin. Click OK.
- In Object Server, right-click the SQL server, then select Properties.
- On the Security page, under Server authentication, select SQL Server and Windows Authentication mode. Click OK.
- EMS 7.2 does not rely on FILESTREAM for file synchronization between EMS nodes. Instead, it uses network share. For information on this change, see Differences between network share and FILESTREAM. Install EMS:
- Create and share a folder on the network. This file share is used to share files between EMS nodes. All EMS nodes should be able to access the file share. During EMS installation, the installer mounts the file share as the W:\ drive. Ensure that the W:\ drive is free on all EMS nodes. The recommended disk size for network share depends on the number of FortiClient installers that are uploaded at a time.
You must disable Network access: Do not allow storage of passwords and credentials for network authentication in Local Group Policy Editor. Otherwise, it causes installation issues. Do the following on both EMS nodes:
- Open Local Group Policy Editor.
- Go to Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click Network access: Do not allow storage of passwords and credentials for network authentication.
- Select Disabled, then click OK.
- On EMS-1, open Command Prompt as an administrator.
- Run the following command:
FortiClientEndpointManagementServer_7.2.4.0983_x64.exe SQLServer=DBVIP SQLUser=emsha SQLUserPassword=123456789 InstallSQL=0 ScriptDB=1 FileStorageNic=\\Server\fileshare FileStorageNicUser=LAB\administrator FileStorageNicPass=Admin123! BackupDir=\\EMS-1\backup DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
Parameter
Description
ScriptDB=1
Specifies that this is the primary active server.
BackupDir
Configured to
\\EMS-1\backup
, which is a locally shared folder on EMS-1. EMS and the SQL service user must have read/write/modify permissions to this folder.FileStorageNic
Fileshare path.
FileStorageNicUser
Username for account with read/write/modify permissions to the shared folder.
FileStorageNicPass
Password for account with read/write/modify permissions to the shared folder.
The following is an example of the command when using a named SQL instance. In this example, the SQL instance is EMSNAMED:
FortiClientEndpointManagementServer_7.2.4.0983_x64.exe SQLServer=DBVIP\EMSNAMED SQLUser=emsha SQLUserPassword=123456789 InstallSQL=0 ScriptDB=1 FileStorageNic=\\Server\fileshare FileStorageNicUser=LAB\administrator FileStorageNicPass=Admin123! BackupDir=\\EMS-1\backup DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
- On EMS-2, open Command Prompt as an administrator. Run the following command:
You must use a unique backup directory for each EMS node. The following shows
BackupDir
values for an example HA configuration with one primary (EMS 1) and two secondary EMS nodes (EMS 2 and 3):- Primary (EMS 1):
BackupDir=\\EMS-1\backup
- Secondary (EMS 2):
BackupDir=\\EMS-2\backup
- Secondary (EMS 3):
BackupDir=\\EMS-3\backup
All EMS nodes share the same
FileStorageNic
.FortiClientEndpointManagementServer_7.2.4.0983_x64.exe SQLServer=DBVIP SQLUser=emsha SQLUserPassword=123456789 InstallSQL=0 ScriptDB=0 FileStorageNic=\\Server\fileshare FileStorageNicUser=LAB\administrator FileStorageNicPass=Admin123! BackupDir=\\EMS-2\backup DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
Parameter
Description
ScriptDB=0
Indicates the upgrade does not execute scripts to upgrade the database because you upgraded the database in step c.
BackupDir
Configured to
\\EMS-2\backup
, which is a locally shared folder on EMS-2. EMS and the SQL service user must have read/write/modify permissions to this folder.FileStorageNic
Fileshare path.
FileStorageNicUser
Username for account with read/write/modify permissions to the shared folder.
FileStorageNicPass
Password for account with read/write/modify permissions to the shared folder.
The following is an example of the command when using a named SQL instance. In this example, the SQL instance is EMSNAMED:
FortiClientEndpointManagementServer_7.2.4.0983_x64.exe SQLServer=DBVIP\EMSNAMED SQLUser=emsha SQLUserPassword=123456789 InstallSQL=0 ScriptDB=0 FileStorageNic=\\Server\fileshare FileStorageNicUser=LAB\administrator FileStorageNicPass=Admin123! BackupDir=\\EMS-2\backup DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
- Primary (EMS 1):
- Configure EMS:
- Log in to EMS on the primary server, EMS-1.
- Go to Dashboard > Status > License Information widget > Configure License.
- For License Source, select File Upload.
- Click Browse and locate the license key file.
- Click Upload. The license is automatically synchronized to EMS-2. You do not need to upload two licenses.
- Go to System Settings > EMS Settings. Enable Remote HTTPS access.
- In the FQDN field, enter the FQDN based on the A record that you created in Configuring Active Directory and DNS settings. These settings will be synchronized to EMS-2.
- If desired, generate installers from EMS-1 to autopopulate the EMS server address. If you have a separate installer, enter the EMS FQDN when registering FortiClient to EMS.
- Stop EMS services on EMS-1 to test the failover.