Add support for multitenant FortiClient EMS deployments 7.2.1
When FortiClient EMS multitenancy is configured, a FortiClient EMS site is no longer unique using its serial number alone. The FortiGate configuration for FortiClient EMS connectors and related diagnostic commands have been enhanced to distinguish EMS sites using their serial number and tenant ID.
This feature includes the following enhancements:
-
Update
config endpoint-control fctemsto predefine five FortiClient EMS Fabric connectors that are referred to using numerical IDs from 1 to 5. Administrators can configure thestatusandnamesettings, and to display the tenant ID retrieved from FortiClient EMS sites with Manage Multiple Customer Sites enabled.config endpoint-control fctems edit {1 | 2 | 3 | 4 | 5} set status {enable | disable} set name <string> set server <string> set serial-number <string> next endA single tenant EMS server or the default site on a multitenant EMS server has a tenant ID consisting of all zeros (00000000000000000000000000000000).
For more details about Enabling and configuring multitenancy, refer to the FortiClient EMS Administration Guide. The Manage Multiple Customer Sites setting is enabled on the System Settings > EMS Settings page in FortiClient EMS.
-
Update the FortiClient EMS Fabric connector to retrieve specific ZTNA tags from each configured FortiClient EMS site.
-
Update
diagnose endpoint record listto return theEMS tenant idfield retrieved from each respective FortiClient EMS server. -
Update ZTNA and EMS debug commands to accept the EMS serial number and tenant ID as parameters.
# diagnose endpoint lls-comm send ztna find-uid <uid> <EMS_serial_number> <EMS_tenant_id>
# diagnose wad dev query-by uid <uid> <EMS_serial_number> <EMS_tenant_id>
To configure a FortiClient EMS Fabric connector:
config endpoint-control fctems
edit 1
set status enable
set name "ems1"
set server "ems1.test.com"
set serial-number "FCTEMS0000000001"
set tenant-id "00000000000000000000000000000000"
next
end
To view FortiClient EMS Fabric connector configuration, including tenant ID:
# show endpoint-control fctems
config endpoint-control fctems
edit 1
set status enable
set name "ems1"
set server "ems1.test.com"
set serial-number "FCTEMS0000000001"
set tenant-id "00000000000000000000000000000000"
next
edit 2
next
edit 3
next
edit 4
next
edit 5
next
end
To verify the endpoint record list:
# diagnose endpoint record list
Record #1:
IP Address = 21.21.21.198
MAC Address = 00:0c:29:59:79:08
MAC list =
VDOM = root (0)
EMS serial number: FCTEMS0000000001
EMS tenant id: 00000000000000000000000000000000
Client cert SN: 19C72E7FC417E438AB2ED219FF435718FE164E88
Public IP address: 172.18.62.10
...
To check the endpoint information from WAD:
# diagnose wad dev query-by uid 2E90E8F7ABAD4D1F8B615AD58A0982C9 FCTEMS0000000001 00000000000000000000000000000000 Attr of type=0, length=83, value(ascii)=2E90E8F7ABAD4D1F8B615AD58A0982C9 Attr of type=4, length=0, value(ascii)= Attr of type=6, length=1, value(ascii)=true Attr of type=5, length=40, value(ascii)=19C72E7FC417E438AB2ED219FF435718FE164E88 Attr of type=3, length=32, value(ascii)=EMS5_ZTNA_all_registered_clients Attr of type=3, length=37, value(ascii)=EMS5_ZTNA_ems1_management_tag Response termination due to no more data
To check the endpoint information:
# diagnose endpoint lls-comm connect Successfully connected. # diagnose endpoint lls-comm send general register 8 # diagnose endpoint lls-comm send ztna find-uid 2E90E8F7ABAD4D1F8B615AD58A0982C9 FCTEMS0000000001 00000000000000000000000000000000 # diagnose endpoint lls-comm recv Channel: ZTNA(3), Size: 617, Command: Update Device(82) - UID: 2E90E8F7ABAD4D1F8B615AD58A0982C9 - EMS Fabric ID: FCTEMS0000000001 :00000000000000000000000000000000 - Domain: ad864r2.com - User: Administrator - Owner: - Certificate SN: 19C72E7FC417E438AB2ED219FF435718FE164E88 - online: true - Routes (1): -- Route #0: IP=21.21.21.198, vfid=0 - FWAddrNames (2): -- Name (#0): EMS5_ZTNA_all_registered_clients -- Name (#1): EMS5_ZTNA_ems1_management_tag received 1 messages.