Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring EMS settings

Configuring EMS settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site level. See Global and per-site configuration.

To configure EMS settings:
  1. Go to System Settings > EMS Settings.
  2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

    Hostname

    Displays the FortiClient EMS server's hostname.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    You can generate a QR code for the specified IP address. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

    Use FQDN

    Specify a fully qualified domain name (FQDN) for the FortiClient EMS server.

    FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or FQDN. An FQDN is preferable for the following reasons:

    • Easy to migrate EMS to a different IP address
    • Easy to migrate to a different EMS instance
    • Flexible to dynamically resolve the FQDN

    The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.

    Alternatively, you can use a private IP address for the connection. This configuration requires external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are disconnected from VPN at that time.

    FQDN

    Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname field to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

    HTTPS port

    Available when Remote HTTPS Access is enabled. Displays the predefined HTTPS port. You cannot change the port.

    Pre-defined hostname

    Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

    Custom hostname

    Available when Remote HTTPS Access is turned on. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

    Management IP and Port

    Available when Remote HTTPS Access is turned on. If the EMS has an IP address that is usually not publicly reachable but the FortiGate could reach, specify this IP address. In most cases, this is an internal IP address. The FortiOS administrator can use this IP address to connect the FortiGate to the EMS using a Fabric connector.

    Redirect HTTP request to HTTPS

    Available when Remote HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

    Webserver certificate

    Displays the SSL certificate currently used for the Apache service and the Notify (websockets) daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    Use Webserver certificate for Endpoint Control

    Enable to use the certificate uploaded in the Webserver certificate field for endpoint control.

    Endpoint Control certificate

    Displays the SSL certificate currently used on port 8013 for the Endpoint Control daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    When this option is enabled and FortiClient tries to connect to EMS using the endpoint control protocol, EMS sends the SSL certificate so that FortiClient can use the certificate to verify the connection.

    If the SSL certificate is from a publicly signed certificate authority, only endpoints with the following FortiClient versions can connect to EMS:

    • 6.4.7 and later
    • 7.0.2 and later

    EMS CA certificate (ZTNA)

    This feature requires the ZTNA or EPP license and only applies for endpoints running FortiClient 7.0.0 and later versions. See Windows, macOS, and Linux licenses.

    Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS. See FortiClient in the Security Fabric.

    Click the Revoke and Update button to revoke and update the certificate. You may want to revoke a certificate if it is compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. This may affect existing connections.

    Enable ZTNA token

    Enable the ZTNA JSON web token (JWT). See JWT support for ZTNA UID and tag sharing.

    ZTNA token timeout

    If you enabled the ZTNA JWT, enter the JWT expiry time in minutes. The minimum and default value is 60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.

    Reset Stalled Deployment Interval

    Enter number of hours after which to reset stalled deployments.

    Admin Lockout Attempt

    Configure the number of unsuccessful login attempts after which EMS locks out the admin. The default is three times.

    Admin Lockout Period

    Configure the number of seconds that EMS locks out an admin for after they have reached the number of unsuccessful login attempts configured in Admin Lockout Attempt.

  3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing Windows, macOS, and Linux endpoints:

    Listen on port

    Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    Use persistent connections

    Allow FortiClient to create a persistent connection with EMS. This feature allows it to not tear down and renegotiate the TLS connection at every keepalive (KA) interval.

    FortiOS Connector port

    Displays the default port that FortiClient EMS uses to connect to FortiOS, where FortiClient EMS is the server and FortiOS is a client. You can change the port by typing a new port number. FortiOS connects using the specified port number.

    FortiClient download URL

    FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

    Open port 10443 in Windows Firewall

    Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

    Enforce User Verification

    Enforce user verification for endpoints. Users must log in to verified user accounts to register to EMS. See Invitations.

    Enforce invitation-only registration for

    Enforce invitation-only registration for some or all users. When you select all, FortiClient can only register to EMS using an invitation. See Invitations.

    User Verification Period

    Enter the desired number of days for the user verification period. The minimum number of days is seven. When enable enforcing user verification, EMS deauthenticates all authenticated users that were authenticated earlier than the configured verification period. For example, if you configure the period as 30 days and then enable it, EMS immediately deauthenticates users that were authenticated more than 30 days ago. The timeout takes effect immediately.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

    Timestamp server

    Enter the server address to timestamp software installers with.

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

    Password

    Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

    Configure EMS server list

    Select an option from the dropdown list. Users can configure this IP address in Shared Settings > Listen on IP.

    Connect to local subnets only

    Only allow connection to local subnets.

    Enable login banner

    When you enable the login banner, a message appears prior to a user logging into FortiClient EMS. In the Message field, type your message. The Preview section displays a preview of the message.

  4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
  5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

    Listen on port

    Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

    User inactivity timeout

    Enter the number of hours of inactivity after which to timeout the user.

    Profile update interval

    Specify the profile update interval (in seconds).

    Chromebook certificate

    Displays the SSL certificate currently used for the Chromebook daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    Service account

    Displays the service account ID currently in use.

    Update service account

    Update the service account with new credentials.

    Reset service account

    In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

    ID

    Available if the Update service account button is clicked. Enter a new service account ID.

    Private key

    Available if the Update service account button is clicked. Upload a new service account private key.

  6. Configure the following options under Endpoints Settings:

    FortiClient telemetry connection key

    Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient must provide this key during connection.

    The key cannot contain a semicolon ;.

    You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

    Keep alive interval

    Each connected FortiClient endpoint sends a short KA message to FortiClient EMS, reports client-side changes, and checks for configuration changes on EMS at the specified interval. A large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, increasing the KA interval is recommended.

    Offline timeout

    Configure the number of KA intervals after which EMS considers the endpoint to be offline.

    Tag timeout

    Configure the number of minutes after EMS considers an endpoint to be offline (as configured in the Offline timeout field), that EMS then removes tags from the endpoint.

    EMS license timeout

    Configure the number of days after the endpoint has not contacted EMS that EMS removes that endpoint's registration record from EMS.

    FortiClient license timeout

    Configure the number of days after the endpoint has not contacted EMS that EMS removes the license from FortiClient. This setting only applies for endpoints running FortiClient 6.4.

    Delete timeout

    Configure the number of days after which EMS deletes a deregistered endpoint. For example, if you configure this value to be 45 days, EMS deletes the endpoint 45 days after its deregistration.

    Deauthorized user inactivity timeout

    Enable and configure the number of days after which EMS deletes FortiClient user records for unauthorized users.

    Stale verified user cleanup timeout

    Enable and configure the number of days after which EMS deletes FortiClient user records associated with a single device user for unauthorized users. You can click Delete now to delete the records immediately.

    Automatically upload avatars

    FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiClient EMS servers it is connected to.

    Enable endpoint snapshot reports

    Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds.

  7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
  8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the Fortinet single sign on protocol between EMS and FortiOS.

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file.

    Password

    Configure a new SSL password.

  9. Click Save.

Configuring EMS settings

Configuring EMS settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site level. See Global and per-site configuration.

To configure EMS settings:
  1. Go to System Settings > EMS Settings.
  2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

    Hostname

    Displays the FortiClient EMS server's hostname.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    You can generate a QR code for the specified IP address. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

    Use FQDN

    Specify a fully qualified domain name (FQDN) for the FortiClient EMS server.

    FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or FQDN. An FQDN is preferable for the following reasons:

    • Easy to migrate EMS to a different IP address
    • Easy to migrate to a different EMS instance
    • Flexible to dynamically resolve the FQDN

    The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.

    Alternatively, you can use a private IP address for the connection. This configuration requires external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are disconnected from VPN at that time.

    FQDN

    Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname field to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

    HTTPS port

    Available when Remote HTTPS Access is enabled. Displays the predefined HTTPS port. You cannot change the port.

    Pre-defined hostname

    Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

    Custom hostname

    Available when Remote HTTPS Access is turned on. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

    Management IP and Port

    Available when Remote HTTPS Access is turned on. If the EMS has an IP address that is usually not publicly reachable but the FortiGate could reach, specify this IP address. In most cases, this is an internal IP address. The FortiOS administrator can use this IP address to connect the FortiGate to the EMS using a Fabric connector.

    Redirect HTTP request to HTTPS

    Available when Remote HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

    Webserver certificate

    Displays the SSL certificate currently used for the Apache service and the Notify (websockets) daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    Use Webserver certificate for Endpoint Control

    Enable to use the certificate uploaded in the Webserver certificate field for endpoint control.

    Endpoint Control certificate

    Displays the SSL certificate currently used on port 8013 for the Endpoint Control daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    When this option is enabled and FortiClient tries to connect to EMS using the endpoint control protocol, EMS sends the SSL certificate so that FortiClient can use the certificate to verify the connection.

    If the SSL certificate is from a publicly signed certificate authority, only endpoints with the following FortiClient versions can connect to EMS:

    • 6.4.7 and later
    • 7.0.2 and later

    EMS CA certificate (ZTNA)

    This feature requires the ZTNA or EPP license and only applies for endpoints running FortiClient 7.0.0 and later versions. See Windows, macOS, and Linux licenses.

    Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS. See FortiClient in the Security Fabric.

    Click the Revoke and Update button to revoke and update the certificate. You may want to revoke a certificate if it is compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. This may affect existing connections.

    Enable ZTNA token

    Enable the ZTNA JSON web token (JWT). See JWT support for ZTNA UID and tag sharing.

    ZTNA token timeout

    If you enabled the ZTNA JWT, enter the JWT expiry time in minutes. The minimum and default value is 60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.

    Reset Stalled Deployment Interval

    Enter number of hours after which to reset stalled deployments.

    Admin Lockout Attempt

    Configure the number of unsuccessful login attempts after which EMS locks out the admin. The default is three times.

    Admin Lockout Period

    Configure the number of seconds that EMS locks out an admin for after they have reached the number of unsuccessful login attempts configured in Admin Lockout Attempt.

  3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing Windows, macOS, and Linux endpoints:

    Listen on port

    Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    Use persistent connections

    Allow FortiClient to create a persistent connection with EMS. This feature allows it to not tear down and renegotiate the TLS connection at every keepalive (KA) interval.

    FortiOS Connector port

    Displays the default port that FortiClient EMS uses to connect to FortiOS, where FortiClient EMS is the server and FortiOS is a client. You can change the port by typing a new port number. FortiOS connects using the specified port number.

    FortiClient download URL

    FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

    Open port 10443 in Windows Firewall

    Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

    Enforce User Verification

    Enforce user verification for endpoints. Users must log in to verified user accounts to register to EMS. See Invitations.

    Enforce invitation-only registration for

    Enforce invitation-only registration for some or all users. When you select all, FortiClient can only register to EMS using an invitation. See Invitations.

    User Verification Period

    Enter the desired number of days for the user verification period. The minimum number of days is seven. When enable enforcing user verification, EMS deauthenticates all authenticated users that were authenticated earlier than the configured verification period. For example, if you configure the period as 30 days and then enable it, EMS immediately deauthenticates users that were authenticated more than 30 days ago. The timeout takes effect immediately.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

    Timestamp server

    Enter the server address to timestamp software installers with.

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

    Password

    Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

    Configure EMS server list

    Select an option from the dropdown list. Users can configure this IP address in Shared Settings > Listen on IP.

    Connect to local subnets only

    Only allow connection to local subnets.

    Enable login banner

    When you enable the login banner, a message appears prior to a user logging into FortiClient EMS. In the Message field, type your message. The Preview section displays a preview of the message.

  4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
  5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

    Listen on port

    Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

    User inactivity timeout

    Enter the number of hours of inactivity after which to timeout the user.

    Profile update interval

    Specify the profile update interval (in seconds).

    Chromebook certificate

    Displays the SSL certificate currently used for the Chromebook daemon. If desired, you can select another certificate from the dropdown list. See EMS Server Certificates.

    Service account

    Displays the service account ID currently in use.

    Update service account

    Update the service account with new credentials.

    Reset service account

    In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

    ID

    Available if the Update service account button is clicked. Enter a new service account ID.

    Private key

    Available if the Update service account button is clicked. Upload a new service account private key.

  6. Configure the following options under Endpoints Settings:

    FortiClient telemetry connection key

    Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient must provide this key during connection.

    The key cannot contain a semicolon ;.

    You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

    Keep alive interval

    Each connected FortiClient endpoint sends a short KA message to FortiClient EMS, reports client-side changes, and checks for configuration changes on EMS at the specified interval. A large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, increasing the KA interval is recommended.

    Offline timeout

    Configure the number of KA intervals after which EMS considers the endpoint to be offline.

    Tag timeout

    Configure the number of minutes after EMS considers an endpoint to be offline (as configured in the Offline timeout field), that EMS then removes tags from the endpoint.

    EMS license timeout

    Configure the number of days after the endpoint has not contacted EMS that EMS removes that endpoint's registration record from EMS.

    FortiClient license timeout

    Configure the number of days after the endpoint has not contacted EMS that EMS removes the license from FortiClient. This setting only applies for endpoints running FortiClient 6.4.

    Delete timeout

    Configure the number of days after which EMS deletes a deregistered endpoint. For example, if you configure this value to be 45 days, EMS deletes the endpoint 45 days after its deregistration.

    Deauthorized user inactivity timeout

    Enable and configure the number of days after which EMS deletes FortiClient user records for unauthorized users.

    Stale verified user cleanup timeout

    Enable and configure the number of days after which EMS deletes FortiClient user records associated with a single device user for unauthorized users. You can click Delete now to delete the records immediately.

    Automatically upload avatars

    FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiClient EMS servers it is connected to.

    Enable endpoint snapshot reports

    Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds.

  7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
  8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the Fortinet single sign on protocol between EMS and FortiOS.

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file.

    Password

    Configure a new SSL password.

  9. Click Save.