Fortinet white logo
Fortinet white logo

EMS Administration Guide

Fabric connection setup using FortiGate as a load balancer

Fabric connection setup using FortiGate as a load balancer

The FortiGate to EMS Fortinet Security Fabric connection in a high availability (HA) environment has the following limitations:

  • If round robin is enabled on the DNS server, FortiOS may reach a secondary EMS node during Fabric connection, resulting in the Fabric connection failing.
  • If there is a Fabric connection that is already configured, after EMS failover, the connector disconnects, since DNS still resolves to the primary EMS node.

For EMS HA failover to function correctly with FortiOS Fabric connectors, you can use a FortiGate as a load balancer (LB). This effectively brokers the data routing to the correct EMS based on availability.

To demonstrate this configuration, the example EMS HA environment uses the following components:

  • Two EMS nodes configured in an HA environment
  • FortiGate acting as the LB
  • FortiGate acting as the gateway
  • Endpoint running FortiClient
To configure a FortiGate as the LB:
  1. On the FortiGate acting as the LB, configure the secondary IP address for port4. FortiOS uses this secondary IP address as a virtual IP address to connect with EMS. In this case, the virtual server IP address is 172.16.16.102.
  2. Go to Policy & Objects > Health Check.
  3. Click Create New.
  4. For Type, select TCP.
  5. In the Port field, enter 8013.
  6. Configure other fields as desired.
  7. Create virtual servers:
    1. Go to Policy & Objects.
    2. Create a virtual server.
    3. In the Virtual Server IP field, enter the secondary IP address that you configured in step 1. In this example, it is 172.16.16.102.
    4. In the Virtual Server Port field, enter 8013.
    5. For Load Balancing method, select First Alive.
    6. For Health check, select monitor that you configured.
    7. Configure real servers:
      1. On the Real Servers tab, select Create New.
      2. In the IPv4 address field, enter the primary EMS node IP address. In this example, it is 192.168.0.4.
      3. In the Port field, enter 8013.
      4. In the Max connections field, enter 0.
      5. For Mode, select Active.
      6. Repeat these steps for the secondary EMS node. Click Save.
    8. Repeat steps a-g to create three additional virtual servers. The additional servers use ports 443, 8015, and 10443, but otherwise have identical settings to the first virtual server created. If you have enabled Chromebook management, create a virtual server for port 8443. Similarly, if you require importing an ACME certificate, create a virtual server for port 80.

  8. Create a security policy that includes the LB virtual server as a destination address:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Configure the Incoming Interface and Outgoing Interface fields. The outgoing interface connects to the primary EMS node.
    4. For Source, select all.
    5. In the Destination field, select ports 10443, 443, 8013, and 8015.
    6. For Service, select ALL.
    7. For Inspection Mode, select Proxy-based.
    8. Save the policy.
    9. If the EMS nodes are in different subnets, repeat these steps to configure a policy for the secondary EMS node. In this example, the nodes are in the same subnet, so you do not need to add a separate policy for the secondary EMS.

The FortiGate LB monitors the EMS nodes' statuses and forwards traffic to the active EMS node for ports 8013, 8015, 443, and 10443.

To configure the Fabric connection between FortiOS and EMS:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Double-click the FortiClient EMS card.
  3. Under FortiClient EMS Settings, in the IP/Domain name field, enter the EMS fully qualified domain name (FQDN). The FQDN resolves to the virtual server IP address, which in this case is 172.16.16.102. Similarly, the end user uses the FQDN to connect FortiClient to EMS.

Fabric connection setup using FortiGate as a load balancer

Fabric connection setup using FortiGate as a load balancer

The FortiGate to EMS Fortinet Security Fabric connection in a high availability (HA) environment has the following limitations:

  • If round robin is enabled on the DNS server, FortiOS may reach a secondary EMS node during Fabric connection, resulting in the Fabric connection failing.
  • If there is a Fabric connection that is already configured, after EMS failover, the connector disconnects, since DNS still resolves to the primary EMS node.

For EMS HA failover to function correctly with FortiOS Fabric connectors, you can use a FortiGate as a load balancer (LB). This effectively brokers the data routing to the correct EMS based on availability.

To demonstrate this configuration, the example EMS HA environment uses the following components:

  • Two EMS nodes configured in an HA environment
  • FortiGate acting as the LB
  • FortiGate acting as the gateway
  • Endpoint running FortiClient
To configure a FortiGate as the LB:
  1. On the FortiGate acting as the LB, configure the secondary IP address for port4. FortiOS uses this secondary IP address as a virtual IP address to connect with EMS. In this case, the virtual server IP address is 172.16.16.102.
  2. Go to Policy & Objects > Health Check.
  3. Click Create New.
  4. For Type, select TCP.
  5. In the Port field, enter 8013.
  6. Configure other fields as desired.
  7. Create virtual servers:
    1. Go to Policy & Objects.
    2. Create a virtual server.
    3. In the Virtual Server IP field, enter the secondary IP address that you configured in step 1. In this example, it is 172.16.16.102.
    4. In the Virtual Server Port field, enter 8013.
    5. For Load Balancing method, select First Alive.
    6. For Health check, select monitor that you configured.
    7. Configure real servers:
      1. On the Real Servers tab, select Create New.
      2. In the IPv4 address field, enter the primary EMS node IP address. In this example, it is 192.168.0.4.
      3. In the Port field, enter 8013.
      4. In the Max connections field, enter 0.
      5. For Mode, select Active.
      6. Repeat these steps for the secondary EMS node. Click Save.
    8. Repeat steps a-g to create three additional virtual servers. The additional servers use ports 443, 8015, and 10443, but otherwise have identical settings to the first virtual server created. If you have enabled Chromebook management, create a virtual server for port 8443. Similarly, if you require importing an ACME certificate, create a virtual server for port 80.

  8. Create a security policy that includes the LB virtual server as a destination address:
    1. Go to Policy & Objects > Firewall Policy.
    2. Click Create New.
    3. Configure the Incoming Interface and Outgoing Interface fields. The outgoing interface connects to the primary EMS node.
    4. For Source, select all.
    5. In the Destination field, select ports 10443, 443, 8013, and 8015.
    6. For Service, select ALL.
    7. For Inspection Mode, select Proxy-based.
    8. Save the policy.
    9. If the EMS nodes are in different subnets, repeat these steps to configure a policy for the secondary EMS node. In this example, the nodes are in the same subnet, so you do not need to add a separate policy for the secondary EMS.

The FortiGate LB monitors the EMS nodes' statuses and forwards traffic to the active EMS node for ports 8013, 8015, 443, and 10443.

To configure the Fabric connection between FortiOS and EMS:
  1. In FortiOS, go to Security Fabric > Fabric Connectors.
  2. Double-click the FortiClient EMS card.
  3. Under FortiClient EMS Settings, in the IP/Domain name field, enter the EMS fully qualified domain name (FQDN). The FQDN resolves to the virtual server IP address, which in this case is 172.16.16.102. Similarly, the end user uses the FQDN to connect FortiClient to EMS.