Fortinet black logo

Endpoint provisioning

6.0.5
Copy Link
Copy Doc ID a567c07b-6203-11e9-81a4-00505692583a:933772
Download PDF

Endpoint provisioning

FortiClient EMS provides scalable and centralized management of multiple endpoints. One of the following endpoint management structures is recommended depending on the use case.

note icon

Before deploying to the production server, test deployment with a test endpoint group and test profiles. If the test deployment is successful, then attempt deployment on the production server.

Use case

Endpoint management structure

AD is set up and same structure is desired for endpoint management.

AD integration:

  • Put endpoints in OUs
  • Keep OU structure
  • Group changes made in EMS do not sync back to AD (one-way sync only)
  • Endpoints in security groups are not imported into EMS

Large deployment that needs custom grouping or does not have AD setup

Automated group assignment. See the FortiClient EMS Administration Guide for details.

Small deployment

Custom groups:

  • Manually create groups in EMS, then move endpoints into groups
  • By default, endpoints are placed in the Other Endpoints group

Endpoint provisioning consists of the following steps. For details on each step, see the FortiClient EMS Administration Guide.

  1. Create a profile and gateway IP list. It is recommended to create a profile for each installer.

    It is recommended to put the addresses for all FortiGate units in one gateway IP list. If using compliance, ensure the FortiGate for compliance is located as physically close as possible to the endpoints being monitored. Traffic for the endpoints must go through the FortiGate with compliance enabled.

  2. Create an installer. Select the desired FortiClient features to deploy to endpoint. See FortiClient feature recommendations for details.
  3. Assign the installer to a profile.
  4. Assign the profile to a group that contains endpoints.
  5. Assign the gateway IP list to the desired group.

EMS-managed FortiClient endpoints lock configuration changes in the FortiClient console. The end user cannot change the configuration.

note icon

For an initial deployment, you can deploy FortiClient using the Microsoft AD Server, or send the FortiClient download link from EMS to users. After the initial deployment, you can push future updates from EMS.

note icon

For an initial deployment of FortiClient (macOS), deploy FortiClient (macOS) manually.

note icon

Create a profile for the Other Endpoints group, and assign the profile to the group. This allows you to assign preferred settings to any FortiClient endpoints assigned to the Other Endpoints group.

Endpoint provisioning

FortiClient EMS provides scalable and centralized management of multiple endpoints. One of the following endpoint management structures is recommended depending on the use case.

note icon

Before deploying to the production server, test deployment with a test endpoint group and test profiles. If the test deployment is successful, then attempt deployment on the production server.

Use case

Endpoint management structure

AD is set up and same structure is desired for endpoint management.

AD integration:

  • Put endpoints in OUs
  • Keep OU structure
  • Group changes made in EMS do not sync back to AD (one-way sync only)
  • Endpoints in security groups are not imported into EMS

Large deployment that needs custom grouping or does not have AD setup

Automated group assignment. See the FortiClient EMS Administration Guide for details.

Small deployment

Custom groups:

  • Manually create groups in EMS, then move endpoints into groups
  • By default, endpoints are placed in the Other Endpoints group

Endpoint provisioning consists of the following steps. For details on each step, see the FortiClient EMS Administration Guide.

  1. Create a profile and gateway IP list. It is recommended to create a profile for each installer.

    It is recommended to put the addresses for all FortiGate units in one gateway IP list. If using compliance, ensure the FortiGate for compliance is located as physically close as possible to the endpoints being monitored. Traffic for the endpoints must go through the FortiGate with compliance enabled.

  2. Create an installer. Select the desired FortiClient features to deploy to endpoint. See FortiClient feature recommendations for details.
  3. Assign the installer to a profile.
  4. Assign the profile to a group that contains endpoints.
  5. Assign the gateway IP list to the desired group.

EMS-managed FortiClient endpoints lock configuration changes in the FortiClient console. The end user cannot change the configuration.

note icon

For an initial deployment, you can deploy FortiClient using the Microsoft AD Server, or send the FortiClient download link from EMS to users. After the initial deployment, you can push future updates from EMS.

note icon

For an initial deployment of FortiClient (macOS), deploy FortiClient (macOS) manually.

note icon

Create a profile for the Other Endpoints group, and assign the profile to the group. This allows you to assign preferred settings to any FortiClient endpoints assigned to the Other Endpoints group.