EMS manages FortiClient endpoints using the FortiClient Telemetry connection. Endpoints connect FortiClient Telemetry to FortiGate to participate in the Security Fabric or compliance enforcement. FortiGates do not manage endpoints.
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient connects Telemetry to EMS to receive configuration information in an endpoint profile from EMS. This scenario does not support compliance. It is only for central management of endpoints. Only EMS can control the connection between FortiClient and EMS. Any changes to the connection must be made from EMS, not FortiClient. When FortiClient is connected to EMS, EMS locks FortiClient settings so the endpoint user cannot change any configuration. To disconnect FortiClient from EMS, the EMS administrator must deregister the endpoint in EMS.
See the FortiClient Compliance Guide.
In this configuration, FortiClient Telemetry is connected to FortiGate, and FortiClient receives a profile from FortiGate. The profile contains the compliance rules for FortiClient, but not any configuration information for FortiClient. This configuration can support NAC and compliance.
In this configuration, FortiClient Telemetry connects to FortiGate to confirm compliance. This configuration supports NAC and compliance. FortiClient Telemetry also connects to EMS to receive a profile of configuration information. This configuration is sometimes called integrated mode.
FortiGate does not provide configuration information for FortiClient and the endpoint. Endpoint users must manually configure FortiClient or an administrator must configure FortiClient using an EMS endpoint profile.
Following is a summary of how the FortiClient Telemetry connection works in integrated mode:
- FortiClient Telemetry connects to FortiGate. This is the Fabric Telemetry connection.
- FortiClient Telemetry connects to EMS. This is the Management Telemetry connection.
FortiClient connects to FortiGate. Depending on the FortiGate configuration, one of the following happens:
- FortiGate considers the endpoint compliant if FortiClient is installed and is being managed by the EMS server authorized in FortiOS.
- FortiClient receives a profile of specific compliance rules from the FortiGate.
- FortiClient receives a profile of configuration information from EMS.
Administrators should ensure the configuration information from EMS matches the compliance rules set on FortiGate to avoid conflicting settings.
EMS can also import a profile from FortiOS, then push it to FortiClient.