Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS Administration Guide

Configuring Server settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

To configure Server settings:
  1. Go to System Settings > Server.
  2. Configure the following options:

    Hostname

    Displays the FortiClient EMS server's host name.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    Listen on port

    Displays the default port for the FortiClient EMS server. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    Upload port

    Displays the default port used for FortiClient to upload large amounts of data (100+ KB of data per connection) to FortiClient EMS. You can change the port by typing a new port number.

    Use FQDN

    Turn on to specify a fully qualified domain name (FQDN) for the FortiClient EMS server.

     

    FQDN

    Displayed when Use FQDN is turned on. Type the FQDN for the FortiClient EMS server. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    DHCP onnet/offnet

    Enable to monitor endpoints within the company network (on-net).

    Endpoints connected to FortiClient EMS from outside the company network are off-net endpoints.

    There are two settings in EMS that affect the FortiClient on-net/off-net status:

    1. DHCP on-net/off-net setting in EMS
    2. Subnet setting in EMS

    DHCP on-net/off-net setting

    On-net subnet

    Option 224 serial number

    Endpoint status

    Off

    No

    N/A

    On-net

    On

    No

    Option not configured

    Off-net

    On

    No

    Option configured

    On-net

    Off or on

    Yes and match

    Configured or not

    On-net

    Off or on

    Yes and do not match

    Configured or not

    Off-net

    Subnet values:

    • no: subnet setting in EMS is disabled
    • yes: subnet setting in EMS is configured
    • match: client has an IP address in the configured EMS subnet
    • not match: client has an IP address not in the configured EMS subnet

    The following are examples on how FortiClient determines the endpoint when FortiClient is connected to EMS only. For details on how FortiClient determines on-net/off-net status in managed mode with FortiGate and FortiClient EMS, see the FortiClient Administration Guide.

    • An endpoint has a status of offline when it cannot connect FortiClient Telemetry to EMS and is outside one of the on-net networks.
    • An endpoint has a status of offline but on-net when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks.

    Option 224 can have any Fortinet device's serial number. EMS assumes FortiClient is behind a FortiGate and on-net with that FortiGate.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS console on and off. When enabled, type a host name in the Custom Host Name box to let administrators use a browser and HTTPS to log into the FortiClient EMS console. When disabled, administrators can only log into FortiClient EMS console on the server.

     

    Pre-defined hostname

    Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined host name. The name cannot be changed.

     

    Custom hostname

    Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined host name of the server on which FortiClient EMS is installed. You can customize the host name. When you change the host name, the web server restarts.

     

    Redirect HTTP request to HTTPS

    Available when Remote Administration HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access EMS at http://<server_name>, this is automatically redirected to https://<server_name>.

    FortiClient download URL

    FortiClient installers created in FortiClient EMS will be made available for download at the URL.

     

    Open port 10443 in Windows Firewall

    Turn on to open port 10443, and turn off to close port 10443. Port 10443 is used to download FortiClient.

    SSL certificate

    Displays the SSL certificate currently imported. If you have not imported an SSL certificate, a No SSL certificate imported message displays.

    New SSL Certificate File

    Upload a new SSL certificate.

    New SSL Private Key

    Upload a new SSL private key.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to EMS digitally signed with a code signing certificate.

     

    Timestamp server

    Enter the server address to timestamp software installers with.

     

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

     

    Password

    Enter the certificate password. This is required for EMS to sign the software installers with the certificate.

  3. Click Save.

Configuring Server settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

To configure Server settings:
  1. Go to System Settings > Server.
  2. Configure the following options:

    Hostname

    Displays the FortiClient EMS server's host name.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    Listen on port

    Displays the default port for the FortiClient EMS server. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    Upload port

    Displays the default port used for FortiClient to upload large amounts of data (100+ KB of data per connection) to FortiClient EMS. You can change the port by typing a new port number.

    Use FQDN

    Turn on to specify a fully qualified domain name (FQDN) for the FortiClient EMS server.

     

    FQDN

    Displayed when Use FQDN is turned on. Type the FQDN for the FortiClient EMS server. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    DHCP onnet/offnet

    Enable to monitor endpoints within the company network (on-net).

    Endpoints connected to FortiClient EMS from outside the company network are off-net endpoints.

    There are two settings in EMS that affect the FortiClient on-net/off-net status:

    1. DHCP on-net/off-net setting in EMS
    2. Subnet setting in EMS

    DHCP on-net/off-net setting

    On-net subnet

    Option 224 serial number

    Endpoint status

    Off

    No

    N/A

    On-net

    On

    No

    Option not configured

    Off-net

    On

    No

    Option configured

    On-net

    Off or on

    Yes and match

    Configured or not

    On-net

    Off or on

    Yes and do not match

    Configured or not

    Off-net

    Subnet values:

    • no: subnet setting in EMS is disabled
    • yes: subnet setting in EMS is configured
    • match: client has an IP address in the configured EMS subnet
    • not match: client has an IP address not in the configured EMS subnet

    The following are examples on how FortiClient determines the endpoint when FortiClient is connected to EMS only. For details on how FortiClient determines on-net/off-net status in managed mode with FortiGate and FortiClient EMS, see the FortiClient Administration Guide.

    • An endpoint has a status of offline when it cannot connect FortiClient Telemetry to EMS and is outside one of the on-net networks.
    • An endpoint has a status of offline but on-net when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks.

    Option 224 can have any Fortinet device's serial number. EMS assumes FortiClient is behind a FortiGate and on-net with that FortiGate.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS console on and off. When enabled, type a host name in the Custom Host Name box to let administrators use a browser and HTTPS to log into the FortiClient EMS console. When disabled, administrators can only log into FortiClient EMS console on the server.

     

    Pre-defined hostname

    Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined host name. The name cannot be changed.

     

    Custom hostname

    Available when Remote Administration HTTPS Access is turned on. Displays the pre-defined host name of the server on which FortiClient EMS is installed. You can customize the host name. When you change the host name, the web server restarts.

     

    Redirect HTTP request to HTTPS

    Available when Remote Administration HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access EMS at http://<server_name>, this is automatically redirected to https://<server_name>.

    FortiClient download URL

    FortiClient installers created in FortiClient EMS will be made available for download at the URL.

     

    Open port 10443 in Windows Firewall

    Turn on to open port 10443, and turn off to close port 10443. Port 10443 is used to download FortiClient.

    SSL certificate

    Displays the SSL certificate currently imported. If you have not imported an SSL certificate, a No SSL certificate imported message displays.

    New SSL Certificate File

    Upload a new SSL certificate.

    New SSL Private Key

    Upload a new SSL private key.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to EMS digitally signed with a code signing certificate.

     

    Timestamp server

    Enter the server address to timestamp software installers with.

     

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

     

    Password

    Enter the certificate password. This is required for EMS to sign the software installers with the certificate.

  3. Click Save.