Migrating EMS 7.2.4 or 7.2.5 to 7.4.1
The following provides instructions for migrating existing EMS 7.2.4 or 7.2.5 configurations to EMS 7.4.1. Only EMS 7.2.4 or 7.2.5 support the migration. To migrate earlier EMS versions to 7.4.1, first upgrade them to 7.2.4 or 7.2.5 as FortiClient Upgrade Path describes.
|
Avoid saving or deleting mobile device management (MDM) integrations while both the old and new EMS servers are running. This is necessary because both EMS servers share the same MDM service, and one server can accidentally overwrite changes made on the other. |
To configure the EMS Linux machine:
- Install EMS 7.4.1 on the Linux machine. Do not configure any settings on EMS. See Standalone EMS install.
- The EMS migration requires a user. You can create a new user or use an existing one. Add the user to the sudo, forticlient, and www-data groups. In this example the user is "test":
sudo adduser test
sudo usermod -aG sudo test
sudo usermod -aG forticlientems test
sudo usermod -aG www-data test
- Do one of the following:
- Disable firewall:
sudo ufw disable
- Enable firewall and ports 5432, 443, and 22:
sudo ufw enable
sudo ufw allow 5432/tcp
sudo ufw allow 22/tcp
sudo ufw allow 443/tcp
- Disable firewall:
-
Do the following steps if your implementation does not use Docker. If you are using Docker, go to step 5:
- Update
/etc/postgresql/15/main/postgresql.confto listen on all addresses. Remove#and replacelocalhostwith*:sudo nano postgresql.conf #listen_addresses = 'localhost' >> listen_addresses = '*'
- Update
/etc/postgresql/15/main/pg_hba.confto allow remote access to postgresql:sudo nano pg_hba.conf # IPv4 local connections: host all all 127.0.0.1/32 scram-sha-256 >> host all all 0.0.0.0/0 scram-sha-256
- Update
- Restart the postgresql service:
sudo systemctl restart postgresql
To configure the Windows Server machine with the EMS instance to migrate:
The Windows Server machine must have TLS 1.2 enabled for Client. In Registry Editor, confirm that the registry key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] is set to 1 or does not exist at all. Being enabled is the default behavior.
- Create a user in SQL Server with the sysadmin role. You will use this user to export the tables that contain EMS data:
- Log in to SQL Server Management Studio using Windows authentication. You may need to enable Trust server certificate.
- In Object Explorer, right-click FCEMS and select Properties. Click Security and select SQL Server and Windows Authentication mode.
- In Object Explorer, go to Security > Logins. Right-click and select New login > General.
- In the Login name field, enter the desired login name. In this example, the login name is ems.
- Select SQL Server authentication.
- In the Password and Confirm password fields, enter the desired password.
- Disable Enforce password policy. Save.
- Go to Server Roles. Select sysadmin. Save.
- Restart the SQL Server (FCEMS) service. The service name may differ. Check the given name during your remote SQL install.
- Log in to SQL Server Management Studio using Windows authentication. You may need to enable Trust server certificate.
-
If you have not enabled or installed PowerShell on the Windows Server, follow the steps in Get started with OpenSSH for Windows to install OpenSSH.
- Generate a public key pair in PowerShell and copy it to the EMS Linux server home directory:
- In PowerShell, enter
ssh-keygen.exe -t rsa -b 4096. For all subsequent prompts, press theEnterkey. A key pair is generated and saved to C:\Users\Administrator\.ssh. - Enter
ssh test@172.16.1.22 mkdir -p .ssh. In this example, 172.16.1.22 is the Linux server IP address: - Enter the following command:
cat C:\Users\Administrator\.ssh/id_rsa.pub | ssh test@172.16.1.22 'cat >> ~/.ssh/authorized_keys'
- In PowerShell, enter
- Download the migration tool from the Fortinet Support site and extract the files. The migration tool consists of an executable and a config file.
- Open the config file in a text editor. The file consists of the following parameters:
Parameter
Value to configure
[sqlserver]
host
SQL Server IP address. If you are using a local database, enter 127.0.0.1. port
Microsoft SQL Server port. user
User in SQL Server with sysadmin role. For an EMS with a local database, you can leave this field blank. password
Password for SQL user. For an EMS with a local database, you can leave this field blank. [postgresql]
host
EMS Linux server IP address, as in this example the database and EMS will be on the same Linux server. port
Postgres port. user
Postgres default username. password
Postgres user password found in /opt/forticlientems/pgbouncer/userlist.txt.account_number
This value is used for FortiClient Cloud. [linux_server]
host
EMS Linux server IP address. ssh_port
SSH port open in EMS Linux. user
EMS Linux Server user (member of sudo, forticlientems, and www-data group). password
EMS Linux Server user password. key_file
Key file location in EMS Windows Server. The following shows an example:
[sqlserver]
host =172.16.1.3
port =1433
user =ems
password =Test123!
[postgresql]
host =172.16.1.22
port =5432
user =postgres
password =postgres
account_number=
[linux_server]
host =172.16.1.22
ssh_port =22
user =test
password =password#EMS Linux Servers user’s password
key_file = C:\Users\Administrator\.ssh\id_rsa#location of key file in EMS windows
[files]
# Copy a single file or a directory recursively to the remote server
# follow the pattern: file_or_folder_key = {'source' : '<file_souce>', 'target' : <file_target>'}
# multiple entries are allowed, file_or_folder_key is just a placeholder
# Examples:
# 1 - copying the installer directory recursively:
# installer_dir =
# {'source' : 'C:\\Program Files (x86)\\Fortinet\\FortiClientEMS\\Installers',
# 'target' : '/opt/forticlientems/data'}
# 2 - copying a specific file:
# signatures_file =
# {'source' : ''C:\\Program Files (x86)\\Fortinet \\FortiClientEMS\\signatures\\emsaval\\emsaval.dll',
# 'target' : '/opt/forticlientems/data/signatures/emsaval/emsaval.dll'}
- Open an elevated PowerShell prompt inside the EMS Windows server and go to the directory where you extracted the migration tool. Run migration.exe:
.\migration.exe
If there are issues, check the migration log in the same folder as the migration tool.
-
After installation completes, check that all EMS services are running by entering the following command:
systemctl --all --type=service | grep -E 'fcems|apache|redis|postgres'
The output shows that postgresql.service status displays as
exited. This is the expected status. EMS does not create this service, which only exists to pass commands to version-specific Postgres services. It displays as part of the output as the command filters for all services that contain "postgres" in the name. -
Access the EMS GUI on the Linux server and verify that all configurations and data from the EMS Windows Server were migrated.
To migrate FortiClient endpoints to Linux EMS:
After EMS migration completes, do one of the following to migrate FortiClient endpoints to Linux EMS:
|
Method |
Description |
|---|---|
|
Update DNS record with Linux EMS IP address (recommended) |
On the DNS server, update the DNS record for EMS with the Linux EMS IP address. FortiClient endpoints that were previously connected to Windows Server EMS resolve the new IP address to the EMS FQDN and connect to the Linux EMS. This is the recommended method to migrate FortiClient endpoints to Linux EMS. The endpoint automatically connects to Linux EMS. Even if user verification is enabled, the migration is seamless and the user does not notice any changes on the endpoint. |
|
Switch EMS |
|
|
Configure EMS server list on Windows Server EMS |
This method only works if user verification is not enforced and FortiClient connects to EMS using an FQDN or IP address.
|
After migration, the license remains active on Windows Server EMS.