Simplify FortiClient EMS setup
EMS configurations are now centralized under one configuration card on the Fabric Connectors page. Certificates are the main mode of authentication and authorization. The certificate validity is verified against the issuer CA, and then presented to the user to authorize. A certificate attribute has been added to endpoint-control fctems
, and EMS certificates can be verified with execute fctems verify
.
The following examples presume the EMS certificate has already been configured.
To configure an on-premise FortiClient EMS server to the Security Fabric in the GUI:
- On the root FortiGate, go to Security Fabric > Fabric Connectors.
- Click Create New and click FortiClient EMS.
- For Type, click FortiClient EMS.
- Enter a name and IP address.
- Click OK.
A window appears to verify the EMS server certificate:
- Click Accept.
The FortiClient EMS Status section displays a Successful connection and an Authorized certificate:
To configure a FortiClient EMS Cloud server to the Security Fabric in the GUI:
- Go to Security Fabric > Fabric Connectors.
- Click Create New and click FortiClient EMS.
- For Type, click FortiClient EMS Cloud.
- Enter a name.
- Click OK.
A window appears to verify the EMS server certificate.
- Click Accept.
The FortiClient EMS Status section displays a Successful connection and an Authorized certificate.
To configure an on-premise FortiClient EMS server to the Security Fabric in the CLI:
config endpoint-control fctems edit "ems138" set server "172.16.200.138" set certificate "REMOTE_Cert_1" next end
To configure a FortiClient EMS Cloud server to the Security Fabric in the CLI:
config endpoint-control fctems edit "Cloud_EMS" set fortinetone-cloud-authentication enable set certificate "REMOTE_Cert_1" next end
To verify an EMS certificate in the CLI:
# execute fctems verify ems137 Subject: C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN = sys169.qa.fortinet.cm, emailAddress = xxxx@xxxxxxxx.xxx Issuer: CN = 155-sub1.fortinet.com Valid from: 2017-12-05 00:37:57 GMT Valid to: 2027-12-02 18:08:13 GMT Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0 Root CA: No Version: 3 Serial Num: 01:86:a2 Extensions: Name: X509v3 Basic Constraints Critical: yes Content: CA:FALSE Name: X509v3 Subject Key Identifier Critical: no Content: 35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4 Name: X509v3 Authority Key Identifier Critical: no Content: keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1 DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fortinet.com serial:01:86:A4 Name: X509v3 Subject Alternative Name Critical: no Content: DNS:sys169.qa.fortinet.cm Name: X509v3 Key Usage Critical: no Content: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only Name: X509v3 Extended Key Usage Critical: no Content: TLS Web Server Authentication, TLS Web Client Authentication EMS configuration needs user to confirm server certificate. Do you wish to add the above certificate to trusted remote certificates? (y/n)y