Fortinet white logo
Fortinet white logo
7.2.0

FAQs

FAQs

How many EMS licenses does this configuration require?

This configuration requires one license. You upload this unit to the active EMS as Configuring EMS HA describes.

Is there a preempt feature like in FortiOS HA configuration?

No, there is no preempt feature. For example, if EMS-1 is the active unit and there is a service disruption in EMS-1, EMS-2 takes over as the active unit.

When EMS-1 comes back online, EMS-2 remains as the active unit until there are service disruptions. There is no fixed active unit.

The DNS A record has round robin enabled, meaning that FortiClient sometimes connects to the passive EMS. What is the effect of this?

During initial registration, FortiClient connects to the EMS physical IP address, based on the DNS server response. There are two scenarios:

  • The DNS server responds with the active EMS IP address. FortiClient connects to EMS without issue.
  • The DNS server responds with the passive EMS IP address. FortiClient connects to the passive EMS, but receives a TCP reset (RST) from the server. After three TCP RSTs, FortiClient automatically switches and connects to the active EMS. Due to this behavior, FortiClient registration to EMS has a slight delay.

In the following screenshot, 192.168.138.73 is the passive EMS. You can see a RST packet reply from the passive EMS to FortiClient. After a while, FortiClient switches and connects to the active EMS.

FortiClient Telemetry connections behave in the same manner.

What services run on the passive EMS server?

Only the FortiClient Endpoint Management Server Monitor Service runs on the passive EMS server.

After failover occurs and the passive EMS server changes its status to become the active EMS server, all other EMS services automatically start running.

Differences between network share and FILESTREAM

How do network share and FILESTREAM behave differently?

When deployed in high availability (HA) mode, EMS must share files between its different nodes. These files consist of dynamic data, such as the FortiClient installers used for deployment and custom files added to EMS, such as certificates and keys.

FILESTREAM is a SQL Server mechanism that allows storing files directly in the database's data files. When using replication, the FILESTREAM data is also replicated between the different database cluster nodes. Besides affecting the database sizing, when managing large files, this can also impact the database performance. Changing a deployment setting or profile in EMS can lead installers to be repackaged to include the latest configuration changes, and the FILESTREAM feature does not properly dispose of the space that the old file used when it was rewritten, which led the FILESTREAM to grow uncontrollably and require manual intervention for cleanup. This technology is more applicable for less volatile files such as backups or files that rarely change.

The network share relies on Window's network drive sharing, which simplifies the process and alleviates the database to now only focus on the application data.

What is the network share's downtime's effect on operations?

There is no effect to telemetry or the connections from FortiClient. If the network share is down, installer downloads fail but FortiClient should repeatedly retry to fetch the relevant files if the deployment is automated. Creating or updating installers/deployments only takes effect when the network share becomes available again, but this is transparent to the user.

What are the implications of upgrading an HA instance from 7.0 to 7.2 and converting from FILESTREAM to network share?

The upgrade should be transparent. The FILESTREAM becomes unused and the database eventually cleans it up. The EMS installer copies files that must be in the network share during the upgrade.

What are the best practices for deploying network share?

  • EMS uses the drive letter "W" to map the network share. To avoid potential EMS installation issues, ensuring that "W" is unused (physical or network drive) on the EMS host machine is recommended.
  • Determining the required provisioning size for the network share depends on a number of factors. The following folder contents are hosted on the network share, which are otherwise located in the EMS install directory with a standalone installation:
    • Installers: each installer/deployment package is typically less than 1.5 GB.
    • ClientUninstaller: universal FortiClient uninstaller, ~500 MB.
    • fctuploads: logs retrieved via the Request FortiClient/Diagnostic Logs option in EMS. Variable based on usage. Diagnostic logs can be up to ~200 MB each.
    • google: typically less than 1 MB unless hosting a Chromebook deployment.

FAQs

FAQs

How many EMS licenses does this configuration require?

This configuration requires one license. You upload this unit to the active EMS as Configuring EMS HA describes.

Is there a preempt feature like in FortiOS HA configuration?

No, there is no preempt feature. For example, if EMS-1 is the active unit and there is a service disruption in EMS-1, EMS-2 takes over as the active unit.

When EMS-1 comes back online, EMS-2 remains as the active unit until there are service disruptions. There is no fixed active unit.

The DNS A record has round robin enabled, meaning that FortiClient sometimes connects to the passive EMS. What is the effect of this?

During initial registration, FortiClient connects to the EMS physical IP address, based on the DNS server response. There are two scenarios:

  • The DNS server responds with the active EMS IP address. FortiClient connects to EMS without issue.
  • The DNS server responds with the passive EMS IP address. FortiClient connects to the passive EMS, but receives a TCP reset (RST) from the server. After three TCP RSTs, FortiClient automatically switches and connects to the active EMS. Due to this behavior, FortiClient registration to EMS has a slight delay.

In the following screenshot, 192.168.138.73 is the passive EMS. You can see a RST packet reply from the passive EMS to FortiClient. After a while, FortiClient switches and connects to the active EMS.

FortiClient Telemetry connections behave in the same manner.

What services run on the passive EMS server?

Only the FortiClient Endpoint Management Server Monitor Service runs on the passive EMS server.

After failover occurs and the passive EMS server changes its status to become the active EMS server, all other EMS services automatically start running.

Differences between network share and FILESTREAM

How do network share and FILESTREAM behave differently?

When deployed in high availability (HA) mode, EMS must share files between its different nodes. These files consist of dynamic data, such as the FortiClient installers used for deployment and custom files added to EMS, such as certificates and keys.

FILESTREAM is a SQL Server mechanism that allows storing files directly in the database's data files. When using replication, the FILESTREAM data is also replicated between the different database cluster nodes. Besides affecting the database sizing, when managing large files, this can also impact the database performance. Changing a deployment setting or profile in EMS can lead installers to be repackaged to include the latest configuration changes, and the FILESTREAM feature does not properly dispose of the space that the old file used when it was rewritten, which led the FILESTREAM to grow uncontrollably and require manual intervention for cleanup. This technology is more applicable for less volatile files such as backups or files that rarely change.

The network share relies on Window's network drive sharing, which simplifies the process and alleviates the database to now only focus on the application data.

What is the network share's downtime's effect on operations?

There is no effect to telemetry or the connections from FortiClient. If the network share is down, installer downloads fail but FortiClient should repeatedly retry to fetch the relevant files if the deployment is automated. Creating or updating installers/deployments only takes effect when the network share becomes available again, but this is transparent to the user.

What are the implications of upgrading an HA instance from 7.0 to 7.2 and converting from FILESTREAM to network share?

The upgrade should be transparent. The FILESTREAM becomes unused and the database eventually cleans it up. The EMS installer copies files that must be in the network share during the upgrade.

What are the best practices for deploying network share?

  • EMS uses the drive letter "W" to map the network share. To avoid potential EMS installation issues, ensuring that "W" is unused (physical or network drive) on the EMS host machine is recommended.
  • Determining the required provisioning size for the network share depends on a number of factors. The following folder contents are hosted on the network share, which are otherwise located in the EMS install directory with a standalone installation:
    • Installers: each installer/deployment package is typically less than 1.5 GB.
    • ClientUninstaller: universal FortiClient uninstaller, ~500 MB.
    • fctuploads: logs retrieved via the Request FortiClient/Diagnostic Logs option in EMS. Variable based on usage. Diagnostic logs can be up to ~200 MB each.
    • google: typically less than 1 MB unless hosting a Chromebook deployment.