Fortinet black logo

CLI Reference

config endpoint-control fctems

config endpoint-control fctems

Use this command to configure FortiClient Endpoint Management Server (EMS) connector entries.

It is recommended to configure the FortiClient EMS connector entries from the GUI. For more information, see the FortiADC Handbook on the FortiClient EMS Connector.

The FortiADC Security Fabric device can link to FortiClient Endpoint Management Server (EMS) for endpoint connectors. Up to three EMS servers can be added to the Security Fabric. EMS settings are synchronized between all Fabric members. Once the FortiADC is authorized as a Fabric device in FortiClient EMS, FortiClient EMS automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information to the FortiADC.

The FortiClient EMS connector is an integral part of the Zero Trust Network Access (ZTNA) functionality. For more information, see the FortiADC Handbook on ZTNA and How device identity and trust context is established with FortiClient EMS.

After you complete the configuration with the config endpoint-control fctems command, you must verify the EMS server certificate to authorize the FortiADC as a Fabric Device in FortiClient EMS. To verify the EMS server certificate, use the execute fctems verify command. For details, see execute fctems.

Once the FortiADC is authorized as a Fabric device in FortiClient EMS, FortiClient EMS automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information to the FortiADC.

Requirements:
  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    FortiClient EMS is supported in most FortiADC platforms but not all of them. The following lists the hardware models, cloud platforms, and VM environments that support FortiClient EMS.

    Hardware models:

    • FAD-120F, FAD-220F, FAD-300F, FAD-400F, FAD-1200F, FAD-2200F, FAD-4200F, FAD-5000F

    Cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services), Microsoft Azure, GCP (Google Cloud Platform), OCI (Oracle Cloud Infrastructure), Alibaba Cloud

    VM environments:

    • VMware, Microsoft Hyper-V, KVM, Citrix Xen, Xen Project Hypervisor
      Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

Syntax

config endpoint-control fctems

edit <name>

set server {string}

set https-port {integer}

set capabilities {option1}, {option2}, ...

set call-timeout {integer}

set preserve-ssl-session {enable|disable}

next

end

server

Server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1

https-port

FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443.

capabilities

List of EMS capabilities.

Note: This option is only available in CLI.

call-timeout

FortiClient EMS call timeout in seconds. Range: 1-180, default: 30.

Note: This option is only available in CLI.

preserve-ssl-session

Enable/disable preservation of EMS SSL session connection. This is disabled by default.

Note: This option is only available in CLI.

Warning: Most users should not touch this setting.

Example

config endpoint-control fctems

edit "EMS-223"

set server 10.106.3.223

set https-port 443

unset capabilities

set call-timeout 30

set preserve-ssl-session disable

next

end

config endpoint-control fctems

Use this command to configure FortiClient Endpoint Management Server (EMS) connector entries.

It is recommended to configure the FortiClient EMS connector entries from the GUI. For more information, see the FortiADC Handbook on the FortiClient EMS Connector.

The FortiADC Security Fabric device can link to FortiClient Endpoint Management Server (EMS) for endpoint connectors. Up to three EMS servers can be added to the Security Fabric. EMS settings are synchronized between all Fabric members. Once the FortiADC is authorized as a Fabric device in FortiClient EMS, FortiClient EMS automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information to the FortiADC.

The FortiClient EMS connector is an integral part of the Zero Trust Network Access (ZTNA) functionality. For more information, see the FortiADC Handbook on ZTNA and How device identity and trust context is established with FortiClient EMS.

After you complete the configuration with the config endpoint-control fctems command, you must verify the EMS server certificate to authorize the FortiADC as a Fabric Device in FortiClient EMS. To verify the EMS server certificate, use the execute fctems verify command. For details, see execute fctems.

Once the FortiADC is authorized as a Fabric device in FortiClient EMS, FortiClient EMS automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information to the FortiADC.

Requirements:
  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    FortiClient EMS is supported in most FortiADC platforms but not all of them. The following lists the hardware models, cloud platforms, and VM environments that support FortiClient EMS.

    Hardware models:

    • FAD-120F, FAD-220F, FAD-300F, FAD-400F, FAD-1200F, FAD-2200F, FAD-4200F, FAD-5000F

    Cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services), Microsoft Azure, GCP (Google Cloud Platform), OCI (Oracle Cloud Infrastructure), Alibaba Cloud

    VM environments:

    • VMware, Microsoft Hyper-V, KVM, Citrix Xen, Xen Project Hypervisor
      Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

Syntax

config endpoint-control fctems

edit <name>

set server {string}

set https-port {integer}

set capabilities {option1}, {option2}, ...

set call-timeout {integer}

set preserve-ssl-session {enable|disable}

next

end

server

Server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1

https-port

FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443.

capabilities

List of EMS capabilities.

Note: This option is only available in CLI.

call-timeout

FortiClient EMS call timeout in seconds. Range: 1-180, default: 30.

Note: This option is only available in CLI.

preserve-ssl-session

Enable/disable preservation of EMS SSL session connection. This is disabled by default.

Note: This option is only available in CLI.

Warning: Most users should not touch this setting.

Example

config endpoint-control fctems

edit "EMS-223"

set server 10.106.3.223

set https-port 443

unset capabilities

set call-timeout 30

set preserve-ssl-session disable

next

end