Fortinet black logo

Best Practices

Home FortiClient 6.2.0 Best Practices
6.2.0
6.2.0
6.0.5

EMS server configuration

EMS server configuration

Server settings

The following lists tasks that require direct access to the EMS console. Other tasks can be done via remote HTTPS access.

  • Decide whether to assign an FQDN or static IP address to the FortiClient EMS server. Do not assign a dynamic IP address to the EMS server.
  • Enable remote HTTPS access for administrators.
  • Set the hostname and FortiClient download URL. Ensure endpoints can access the download URL by navigating to it from a browser on one of the endpoints.

Logs settings

Configure log level and the number of days to keep logs. These settings affect database size. If managing a large number of endpoints, it is also recommended to reduce the number of days EMS stores logs and alerts.

FortiGuard settings

Enable FortiManager. You can use FortiManager or Micro-FortiGuard Server for FortiClient to download signature updates from FortiGuard. When managing more than 5000 endpoints, it is recommended to use Micro-FortiGuard Server for FortiClient or FortiManager for local updates and category lookup.

For details, see the Micro-FortiGuard Server for FortiClient Administration Guide or the FortiManager Administration Guide.

Endpoints settings

  • Keep alive interval: The keep alive interval is the interval between endpoint connections to the EMS server to check for profile updates. If managing a large number of endpoints, a large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, it is recommended to increase the keep alive interval.
  • License timeout interval: This setting is useful for EMS administrators who need to manage reusing licenses. The minimum license timeout interval is one day. You should modify this setting based on the number of licenses and of managed endpoints.

Administrator

  • Change the password for the default administrator after logging in. Use a strong password that combines uppercase and lowercase letters, numbers, and symbols. There is no password recovery mechanism for the default admin user. It is recommended therefore to keep the admin password safe. It is also recommended to create additional user accounts in case the administrator password is lost.
  • Add a remote administrator.
  • Add local Windows users.
  • Super administrator permissions allow the administrator to access and modify all settings on the EMS server. These permissions should be restricted to as small a group as possible to ensure security for both the server and endpoints.
  • You cannot configure an administrator to have access to only certain groups or OUs within a domain. You can only configure an administrator to have full access to a domain or no access at all.

Alerts settings

You can configure an email server and EMS to email alerts to you. It is recommended to receive alerts about non-compliant and unregistered endpoints.

  • EMS Alerts: enable receiving information in case of issues with the EMS server
  • Endpoint Alerts: enable receiving information about security events on endpoints
  • SMTP server: configure to receive email alerts
Previous
Next

EMS server configuration

Server settings

The following lists tasks that require direct access to the EMS console. Other tasks can be done via remote HTTPS access.

  • Decide whether to assign an FQDN or static IP address to the FortiClient EMS server. Do not assign a dynamic IP address to the EMS server.
  • Enable remote HTTPS access for administrators.
  • Set the hostname and FortiClient download URL. Ensure endpoints can access the download URL by navigating to it from a browser on one of the endpoints.

Logs settings

Configure log level and the number of days to keep logs. These settings affect database size. If managing a large number of endpoints, it is also recommended to reduce the number of days EMS stores logs and alerts.

FortiGuard settings

Enable FortiManager. You can use FortiManager or Micro-FortiGuard Server for FortiClient to download signature updates from FortiGuard. When managing more than 5000 endpoints, it is recommended to use Micro-FortiGuard Server for FortiClient or FortiManager for local updates and category lookup.

For details, see the Micro-FortiGuard Server for FortiClient Administration Guide or the FortiManager Administration Guide.

Endpoints settings

  • Keep alive interval: The keep alive interval is the interval between endpoint connections to the EMS server to check for profile updates. If managing a large number of endpoints, a large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, it is recommended to increase the keep alive interval.
  • License timeout interval: This setting is useful for EMS administrators who need to manage reusing licenses. The minimum license timeout interval is one day. You should modify this setting based on the number of licenses and of managed endpoints.

Administrator

  • Change the password for the default administrator after logging in. Use a strong password that combines uppercase and lowercase letters, numbers, and symbols. There is no password recovery mechanism for the default admin user. It is recommended therefore to keep the admin password safe. It is also recommended to create additional user accounts in case the administrator password is lost.
  • Add a remote administrator.
  • Add local Windows users.
  • Super administrator permissions allow the administrator to access and modify all settings on the EMS server. These permissions should be restricted to as small a group as possible to ensure security for both the server and endpoints.
  • You cannot configure an administrator to have access to only certain groups or OUs within a domain. You can only configure an administrator to have full access to a domain or no access at all.

Alerts settings

You can configure an email server and EMS to email alerts to you. It is recommended to receive alerts about non-compliant and unregistered endpoints.

  • EMS Alerts: enable receiving information in case of issues with the EMS server
  • Endpoint Alerts: enable receiving information about security events on endpoints
  • SMTP server: configure to receive email alerts
Previous
Next