Fortinet black logo

EMS Administration Guide

Required services and ports

Required services and ports

You must ensure required ports and services are enabled for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Samba (SMB) service

FortiClient EMS uses the SMB service during FortiClient initial deployment.

TCP

445

Outgoing

N/A

Distributed Computing Environment / Remote Procedure Calls (DCE- RPC)

The EMS server connects to endpoints using RPC for FortiClient initial deployment.

TCP

135

Outgoing

N/A

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient installer created by the EMS server

TCP

10443 (default)

Incoming

Installer

Apache/HTTPS

Web access to EMS

TCP

443

Incoming

Installer

FortiGuard

FortiGuard antivirus, vulnerability, and application version updates

TCP

80

Outgoing

N/A

SMTP server/email

Alerts for EMS and endpoint events. When an alert is triggered, an email notification is sent

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

The following ports and services are only applicable when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connection to EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

G suite API/Google domain directory

API calls to retrieve Google domain information

TCP

443

Outgoing

N/A

The following ports and services should be enabled for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connection to profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

URL rating

TCP

443, 3400

Outgoing

N/A

FortiAnalyzer

Send logs to FortiAnalyzer

TCP

8443

Outgoing

N/A

note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide on the Fortinet Document Library.

Required services and ports

You must ensure required ports and services are enabled for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Samba (SMB) service

FortiClient EMS uses the SMB service during FortiClient initial deployment.

TCP

445

Outgoing

N/A

Distributed Computing Environment / Remote Procedure Calls (DCE- RPC)

The EMS server connects to endpoints using RPC for FortiClient initial deployment.

TCP

135

Outgoing

N/A

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient installer created by the EMS server

TCP

10443 (default)

Incoming

Installer

Apache/HTTPS

Web access to EMS

TCP

443

Incoming

Installer

FortiGuard

FortiGuard antivirus, vulnerability, and application version updates

TCP

80

Outgoing

N/A

SMTP server/email

Alerts for EMS and endpoint events. When an alert is triggered, an email notification is sent

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

The following ports and services are only applicable when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connection to EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

G suite API/Google domain directory

API calls to retrieve Google domain information

TCP

443

Outgoing

N/A

The following ports and services should be enabled for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connection to profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

URL rating

TCP

443, 3400

Outgoing

N/A

FortiAnalyzer

Send logs to FortiAnalyzer

TCP

8443

Outgoing

N/A

note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide on the Fortinet Document Library.