Fortinet white logo
Fortinet white logo

EMS Administration Guide

AD connector

AD connector

You can configure an Active Directory (AD) connector that acts as a proxy between the AD server and EMS.

The following shows an example environment, which consists of the following virtual machines (VM):

VM

Function

VM1

EMS

VM2

AD server (ems104.com)

VM3

AD connector

In this example, VM2 is connected to a local network with an IP address of 192.168.178.13/24. EMS is connected to a public network with an IP address of 10.71.5.77/24. In this scenario, when you attempt to add the AD server as an authentication server in Administration > Authentication Servers in EMS, it cannot reach the AD server. The AD connector solves this problem. The AD connector has the following network adapters:

Adapter

IP address

Adapter connector

192.168.78.14

Adapter data

192.168.1.105

Default gateway

192.168.1.1

The gateway for adapter data is 192.168.1.1, which is a FortiGate that is connected to the Internet. The AD server cannot directly connect to EMS. EMS cannot access the AD server. The connector serves as a proxy to add the AD server to EMS.

To configure the AD connector:
  1. Add an API key:
    1. In EMS, go to Administration > Authentication Servers.
    2. Click Connectors.
    3. Click API Keys, then Add. Add a new API key.

  2. Create the AD connector:
    1. You can install the AD connector in a host that EMS and the AD server can reach. On the host machine, from the EMS installation package, run FortiClientEndpointManagementServerADConnector_7.2.6.XXXX_x64.msi.
    2. In the Connect to EMS Configuration dialog, enter the EMS IP address, fully qualified domain name, or account ID in the EMS IP/FQDN/Account ID field.
    3. In the EMS Port field, enter the port number.
    4. In the Connector UID field, enter the desired AD connector UID. Entering a meaningful string to help identify the AD connector is recommended. Do not leave this field blank.
    5. In the Connector Api Key field, enter the API key value.
    6. Click Add Site, and enter the EMS site information. Ensure that a Connection established message displays, then click Next.

  3. If desired, configure the directories configuration. You can also click Next to configure it later:
    1. In the Directory Host field, enter the hostname of the desired AD server.
    2. In the Directory Port field, enter the port number that the AD server uses to communicate with EMS.
    3. In the Username and Password fields, enter the credentials used to log in to the AD server.
    4. If desired, enable Use LDAPS.

    5. If you enabled LDAPS, in the CA Certificate Path field, enter the path to the desired CA certificate to use for the LDAPS connection.

    6. If you enabled LDAPS, if desired, enable Check Cert Hostname.

    7. Under Non-Selected Sites for Directory and Selected Sites for Directory, click Include Sites and Exclude Sites to include and exclude sites as desired.

    8. Click Add Directory and Remove Directory to populate the Configured Directories List as desired. Click Next.

  4. In EMS, go to Administration > Authentication Servers > Connectors to confirm that you successfully created an AD connector.
  5. Go to Administration > Authentication Servers.
  6. Enable Use Connector.
  7. From the Connector dropdown list, select the AD connector.
  8. Save the configuration. EMS successfully adds the AD server as an authentication server.

AD connector

AD connector

You can configure an Active Directory (AD) connector that acts as a proxy between the AD server and EMS.

The following shows an example environment, which consists of the following virtual machines (VM):

VM

Function

VM1

EMS

VM2

AD server (ems104.com)

VM3

AD connector

In this example, VM2 is connected to a local network with an IP address of 192.168.178.13/24. EMS is connected to a public network with an IP address of 10.71.5.77/24. In this scenario, when you attempt to add the AD server as an authentication server in Administration > Authentication Servers in EMS, it cannot reach the AD server. The AD connector solves this problem. The AD connector has the following network adapters:

Adapter

IP address

Adapter connector

192.168.78.14

Adapter data

192.168.1.105

Default gateway

192.168.1.1

The gateway for adapter data is 192.168.1.1, which is a FortiGate that is connected to the Internet. The AD server cannot directly connect to EMS. EMS cannot access the AD server. The connector serves as a proxy to add the AD server to EMS.

To configure the AD connector:
  1. Add an API key:
    1. In EMS, go to Administration > Authentication Servers.
    2. Click Connectors.
    3. Click API Keys, then Add. Add a new API key.

  2. Create the AD connector:
    1. You can install the AD connector in a host that EMS and the AD server can reach. On the host machine, from the EMS installation package, run FortiClientEndpointManagementServerADConnector_7.2.6.XXXX_x64.msi.
    2. In the Connect to EMS Configuration dialog, enter the EMS IP address, fully qualified domain name, or account ID in the EMS IP/FQDN/Account ID field.
    3. In the EMS Port field, enter the port number.
    4. In the Connector UID field, enter the desired AD connector UID. Entering a meaningful string to help identify the AD connector is recommended. Do not leave this field blank.
    5. In the Connector Api Key field, enter the API key value.
    6. Click Add Site, and enter the EMS site information. Ensure that a Connection established message displays, then click Next.

  3. If desired, configure the directories configuration. You can also click Next to configure it later:
    1. In the Directory Host field, enter the hostname of the desired AD server.
    2. In the Directory Port field, enter the port number that the AD server uses to communicate with EMS.
    3. In the Username and Password fields, enter the credentials used to log in to the AD server.
    4. If desired, enable Use LDAPS.

    5. If you enabled LDAPS, in the CA Certificate Path field, enter the path to the desired CA certificate to use for the LDAPS connection.

    6. If you enabled LDAPS, if desired, enable Check Cert Hostname.

    7. Under Non-Selected Sites for Directory and Selected Sites for Directory, click Include Sites and Exclude Sites to include and exclude sites as desired.

    8. Click Add Directory and Remove Directory to populate the Configured Directories List as desired. Click Next.

  4. In EMS, go to Administration > Authentication Servers > Connectors to confirm that you successfully created an AD connector.
  5. Go to Administration > Authentication Servers.
  6. Enable Use Connector.
  7. From the Connector dropdown list, select the AD connector.
  8. Save the configuration. EMS successfully adds the AD server as an authentication server.