The FortiClient EMS Connector works virtually the same way as Active Directory / Single Sign On (FSSO) from the FortiManager's perspective:
- Configure the connector in FortiManager that manages the FortiGate devices. The administrator can define and install the dynamic groups and policies to FortiGate devices.
- FortiGate will communicate directly to FortiClient EMS to learn dynamic group changes and apply them in runtime.
- Install FortiClient Endpoint Management Server in Windows server. Log on to the EMS server and go to Compliance Verification > Compliance Verification Rules and click Add Rules. Create a few rules with different tags.
- Log on to FortiManager. Go to Fabric View > Fabric Connectors and click Create. Select FSSO and click Next.
- In the Create New Fabric Connector screen, specify a Name, select the Type as FortiClient EMS, IP/Name as the Windows Server's IP and leave the password blank if the Windows Server does not have a password. Turn SSL to ON.
- Click Apply and Refresh. The connector gets a list of tags from the EMS server and shows them as User Groups. This is similar to the Active Directory group in the backend of the Windows Server.
- Go to Policy & Objects > Object Configurations > User & Device > User Groups and create a new user group. Specify a name for the group, select the type as FSSO/Cisco TrustSec and in Select Entries, select the tags from EMS server as members. Use this user group in a policy and install the policy to FortiGate devices.
- The Fabric Connectors are also visible in Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity where they can be edited if required.
Refer to FortiClient Enterprise Management Server (EMS) Administration Guide or FortiClient Enterprise Management Server (EMS) Release Notes for system requirement and versions of Windows Server supported.