Fortinet black logo

ZTNA Deployment

7.2.5
7.2.5

Registering to FortiClient EMS and verifying ZTNA tags

Registering to FortiClient EMS and verifying ZTNA tags

FortiClient endpoints need to be able to reach FortiClient EMS over the FortiClient telemetry port (TCP/8013 by default) in both On-net and Off-net situations. Depending on where FortiClient EMS is located, either on-premise or in the Cloud, such as FortiClient Cloud, the proper firewall policies will need to be configured.

In the example topology below, FortiClient EMS is deployed on-premise:

The following will need to be configured:

  • A VIP and firewall policy on the FortiGate to allow external connections to FortiClient EMS on 10.88.0.1:8013. If FortiClient download is needed, also allow the HTTPS port (443 by default).

  • A firewall policy allowing internal subnets to connect to FortiClient EMS.

  • The FQDN of the FortiClient needs to be resolvable internally and remotely. This may require the FQDN to be registered on a public DNS.

In this example topology below, FortiClient Cloud is used:

The following will need to be configured:

  • A firewall policy allowing internal subnets to connect to FortiClient Cloud. If FortiClient download is needed, also allow the HTTPS port (443 by default).

Registering users and endpoints to EMS

This step can be used to verify that users can successfully connect to EMS. Depending on whether user verification is needed and the need to send out an invitation link, users will use different codes to register on their FortiClient endpoint.

The following example demonstrates a basic endpoint registration to the ems.ztnademo.com server without any user authentication.

To register endpoints:

  1. In the Zero Trust Telemetry page, enter the server address ems.ztnademo.com.

  2. Click Connect.

    Once connected, a notification appears indicating settings have been pushed from EMS.

  3. Shortly after, click on the avatar to view information about the device. Note that Zero Trust Tag Domain-Users is added.

  4. From FortiClient EMS, go to Endpoints > All Endpoints.

  5. Select the WIN10-01 computer.

    Note that the device is successfully registered, and Zero Trust Tags display the Domain-Users tag.

Previous
Next

Registering to FortiClient EMS and verifying ZTNA tags

FortiClient endpoints need to be able to reach FortiClient EMS over the FortiClient telemetry port (TCP/8013 by default) in both On-net and Off-net situations. Depending on where FortiClient EMS is located, either on-premise or in the Cloud, such as FortiClient Cloud, the proper firewall policies will need to be configured.

In the example topology below, FortiClient EMS is deployed on-premise:

The following will need to be configured:

  • A VIP and firewall policy on the FortiGate to allow external connections to FortiClient EMS on 10.88.0.1:8013. If FortiClient download is needed, also allow the HTTPS port (443 by default).

  • A firewall policy allowing internal subnets to connect to FortiClient EMS.

  • The FQDN of the FortiClient needs to be resolvable internally and remotely. This may require the FQDN to be registered on a public DNS.

In this example topology below, FortiClient Cloud is used:

The following will need to be configured:

  • A firewall policy allowing internal subnets to connect to FortiClient Cloud. If FortiClient download is needed, also allow the HTTPS port (443 by default).

Registering users and endpoints to EMS

This step can be used to verify that users can successfully connect to EMS. Depending on whether user verification is needed and the need to send out an invitation link, users will use different codes to register on their FortiClient endpoint.

The following example demonstrates a basic endpoint registration to the ems.ztnademo.com server without any user authentication.

To register endpoints:

  1. In the Zero Trust Telemetry page, enter the server address ems.ztnademo.com.

  2. Click Connect.

    Once connected, a notification appears indicating settings have been pushed from EMS.

  3. Shortly after, click on the avatar to view information about the device. Note that Zero Trust Tag Domain-Users is added.

  4. From FortiClient EMS, go to Endpoints > All Endpoints.

  5. Select the WIN10-01 computer.

    Note that the device is successfully registered, and Zero Trust Tags display the Domain-Users tag.

Previous
Next