Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Authentication server configuration for onboarding

Authentication server configuration for onboarding

This feature provides an Active Directory (AD) connector, which you can use to redirect directory requests to your on-premise AD server. This feature allows EMS to access AD servers outside its local network by adding an AD connector. The EMS and AD server can both reach the AD connector. Prior to this enhancement, FortiClient Cloud could not add an AD server as an authentication server if it was located outside the network on which FortiClient Cloud was installed.

This enhancement adds the following benefits:

  • You can add or delete an AD server that the EMS cannot directly reach.
  • You can use a domain for reusable and sharable resources in different EMS functions, such as:
    • Add or delete all domains that exist on the AD server in Endpoints > Manage Domains
    • Assign and manage admin users to domains in Administration > Admin Users
    • Authorize and exclude imported organizational units (OU) and groups in User Management > Authorized User Groups
  • You can add AD servers inside a local network with a private IP addresses and AD servers inside a remote network to EMS for access and configuration.
  • You can import all base DNs or all required DNs that exist in an AD simultaneously. You can also add specific OUs, containers, and groups from the AD to EMS.

  • AD server importation and domain addition has been separated so that you do not need to import the server and configure all settings in one step.
  • You can block a user group through authorized user groups.
  • You can authorize and exclude OUs, containers, and groups.

  • You can add an admin user for the imported AD server.

This feature adds the following components to add support for the aforementioned benefits:

  • The Authentication Servers page has been improved to support the following:
    • Connect to a private AD domain using the AD connector
    • Manage remote connectors that are connected to EMS
    • Manage private AD domains that are connected to EMS
  • Domain management and import pages have been improved to allow user to select multiple base DNs to import from. If a group, computer, or user is included in multiple selected base DNs, EMS correctly performs the import without conflict.
  • The authorized user groups page now displays the OUs, containers, and groups imported from the domain for further management. Authorize and exclude actions can be applied to the OUs, containers, and groups. These actions only apply to the direct children of said OUs, containers, and groups.
  • When multitenancy is enabled and multiple sites exist, you can now import an AD domain and use it to add AD admins to the global site, then give those admins access to multiple EMS multitenancy sites.

In the example scenario, the AD server is on-premise in the company database, while EMS is installed on a virtual machine in the AWS cloud. In this case, to add the AD server to EMS as an authentication server, EMS requires an AD connector.

To configure an authentication server for onboarding:
  1. Add an API key:
    1. In EMS, go to Administration > Authentication Servers.
    2. Click Connectors.
    3. Click API Keys, then Add. Add a new API key.

  2. Create the AD connector:
    1. As the AD connector acts as a proxy between the EMS and AD server, you should install the AD connector in a host that EMS and the AD server can reach. On the host machine, from the EMS installation package, run FortiClientEndpointManagementServerADConnector_7.2.0.XXXX_x64.msi.
    2. In the Connect to EMS Configuration dialog, enter the EMS IP address, fully qualified domain name, or account ID in the EMS IP/FQDN/Account ID field.
    3. In the EMS Port field, enter the port number.
    4. In the Connector UID field, enter the AD connector UID.
    5. In the Connector Api Key field, enter the API key value.
    6. Click Add Site, and enter the EMS site information. Ensure that a Connection established message displays, then click Next.

  3. Go to Administration > Authentication Servers > Connectors to confirm that you successfully created an AD connector.
  4. Go to Administration > Authentication Servers.
  5. Enable Use Connector.
  6. From the Connector dropdown list, select the AD connector.
  7. Enter other AD server details.
  8. Save the configuration. EMS successfully adds the AD server as an authentication server.

  9. Add the endpoint domain:
    1. Go to Endpoints > Manage Domains > Add.
    2. From the Authentication Server dropdown list, select the domain.
    3. Configure other fields as desired, then save.

Previous
Next

Authentication server configuration for onboarding

This feature provides an Active Directory (AD) connector, which you can use to redirect directory requests to your on-premise AD server. This feature allows EMS to access AD servers outside its local network by adding an AD connector. The EMS and AD server can both reach the AD connector. Prior to this enhancement, FortiClient Cloud could not add an AD server as an authentication server if it was located outside the network on which FortiClient Cloud was installed.

This enhancement adds the following benefits:

  • You can add or delete an AD server that the EMS cannot directly reach.
  • You can use a domain for reusable and sharable resources in different EMS functions, such as:
    • Add or delete all domains that exist on the AD server in Endpoints > Manage Domains
    • Assign and manage admin users to domains in Administration > Admin Users
    • Authorize and exclude imported organizational units (OU) and groups in User Management > Authorized User Groups
  • You can add AD servers inside a local network with a private IP addresses and AD servers inside a remote network to EMS for access and configuration.
  • You can import all base DNs or all required DNs that exist in an AD simultaneously. You can also add specific OUs, containers, and groups from the AD to EMS.

  • AD server importation and domain addition has been separated so that you do not need to import the server and configure all settings in one step.
  • You can block a user group through authorized user groups.
  • You can authorize and exclude OUs, containers, and groups.

  • You can add an admin user for the imported AD server.

This feature adds the following components to add support for the aforementioned benefits:

  • The Authentication Servers page has been improved to support the following:
    • Connect to a private AD domain using the AD connector
    • Manage remote connectors that are connected to EMS
    • Manage private AD domains that are connected to EMS
  • Domain management and import pages have been improved to allow user to select multiple base DNs to import from. If a group, computer, or user is included in multiple selected base DNs, EMS correctly performs the import without conflict.
  • The authorized user groups page now displays the OUs, containers, and groups imported from the domain for further management. Authorize and exclude actions can be applied to the OUs, containers, and groups. These actions only apply to the direct children of said OUs, containers, and groups.
  • When multitenancy is enabled and multiple sites exist, you can now import an AD domain and use it to add AD admins to the global site, then give those admins access to multiple EMS multitenancy sites.

In the example scenario, the AD server is on-premise in the company database, while EMS is installed on a virtual machine in the AWS cloud. In this case, to add the AD server to EMS as an authentication server, EMS requires an AD connector.

To configure an authentication server for onboarding:
  1. Add an API key:
    1. In EMS, go to Administration > Authentication Servers.
    2. Click Connectors.
    3. Click API Keys, then Add. Add a new API key.

  2. Create the AD connector:
    1. As the AD connector acts as a proxy between the EMS and AD server, you should install the AD connector in a host that EMS and the AD server can reach. On the host machine, from the EMS installation package, run FortiClientEndpointManagementServerADConnector_7.2.0.XXXX_x64.msi.
    2. In the Connect to EMS Configuration dialog, enter the EMS IP address, fully qualified domain name, or account ID in the EMS IP/FQDN/Account ID field.
    3. In the EMS Port field, enter the port number.
    4. In the Connector UID field, enter the AD connector UID.
    5. In the Connector Api Key field, enter the API key value.
    6. Click Add Site, and enter the EMS site information. Ensure that a Connection established message displays, then click Next.

  3. Go to Administration > Authentication Servers > Connectors to confirm that you successfully created an AD connector.
  4. Go to Administration > Authentication Servers.
  5. Enable Use Connector.
  6. From the Connector dropdown list, select the AD connector.
  7. Enter other AD server details.
  8. Save the configuration. EMS successfully adds the AD server as an authentication server.

  9. Add the endpoint domain:
    1. Go to Endpoints > Manage Domains > Add.
    2. From the Authentication Server dropdown list, select the domain.
    3. Configure other fields as desired, then save.

Previous
Next