Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS Administration Guide

Configuring Server settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

  1. Go to System Settings > Server.
  2. Configure the following options under Shared Settings. These settings are shared between FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

    Hostname

    Displays the FortiClient EMS server's hostname.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    Use FQDN

    Specify an FQDN for the FortiClient EMS server.

     

    FQDN

    Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname box to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

     

    Pre-defined hostname

    Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

     

    Custom hostname

    Available when Remote HTTPS Access is turned on. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

     

    Redirect HTTP request to HTTPS

    Available when Remote HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

    SSL certificate

     

    Displays the currently imported SSL certificate. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

     

    Browse and upload a new SSL certificate file.

    Password

     

    Configure a new SSL password.

  3. Configure the following options under EMS Settings. These settings are used by FortiClient EMS managing Windows, macOS, and Linux endpoints:

    Listen on port

    Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    DHCP onnet/offnet

    Monitor endpoints within the company network (onnet). Endpoints that are connected to FortiClient EMS from outside the company network are offnet endpoints. See Determining onnet/offnet status.

    Enable TLS 1.0/1.1

    Enable TLS 1.0 and 1.1 for file downloads.

    You must enable this option when upgrading FortiClient on a Windows 7 device via FortiClient EMS.

    FortiClient download URL

    FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

     

    Open port 10443 in Windows Firewall

    Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

     

    Timestamp server

    Enter the server address to timestamp software installers with.

     

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

     

    Password

    Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

  4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
  5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

    Listen on port

    Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

    User inactivity timeout

    Enter the number of hours of inactivity after which to timeout the user.

    Profile update interval

    Specify the profile update interval (in seconds).

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file. See Adding SSL certificates to FortiClient EMS for Chromebook endpoints.

    Password

    Configure a new SSL password.

    Service account

    Displays the service account ID currently in use.

    Update service account

    Update the service account with new credentials.

    Reset service account

    In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You need to Save the settings for the change to take effect.

    ID

    Available if the Update service account button is clicked. Enter a new service account ID.

    Private key

    Available if the Update service account button is clicked. Upload a new service account private key.

  6. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the FSSO protocol between EMS and FortiOS.

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file.

    Password

    Configure a new SSL password.

  7. Click Save.

Determining onnet/offnet status

There are two settings in EMS that affect FortiClient onnet/offnet status:

  • DHCP onnet/offnet
  • System Settings > Endpoint Control > On-Net Subnets on the endpoint's assigned profile. See System Settings.

The table below shows how the DHCP onnet/offnet and On-Net Subnets settings and Option 224 serial number affect the endpoint's onnet/offnet status. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and onnet with that FortiGate.

DHCP onnet/offnet

On-Net Subnets

Option 224 serial number

Resulting endpoint status

Disabled

Disabled

N/A

When onnet subnets are not configured, onnet/offnet status is related to the endpoint's online/offline status (whether it is connected to EMS). An online status causes the endpoint to be onnet, while an offline status causes the endpoint to be offnet.

Enabled

Disabled

Not configured

Same as above.

Enabled

Disabled

Configured

Onnet

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is onnet with that FortiGate.

Disabled or enabled

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

Configured or not

Onnet

The endpoint is inside the onnet networks configured in On-Net Subnets.

Disabled or enabled

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

Configured or not

Offnet

The endpoint is outside the onnet networks configured in On-Net Subnets.

The following are examples on how FortiClient determines the endpoint status when connected to EMS only. For details on how FortiClient determines onnet/offnet status in managed mode with FortiGate and EMS, see the FortiClient Administration Guide.

An endpoint has an offline offnet status when it cannot connect FortiClient Telemetry to EMS and is outside one of the onnet networks.

An endpoint has an offline onnet status when it cannot connect FortiClient Telemetry to EMS but is inside one of the onnet networks.

Configuring Server settings

FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.

  1. Go to System Settings > Server.
  2. Configure the following options under Shared Settings. These settings are shared between FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:

    Hostname

    Displays the FortiClient EMS server's hostname.

    Listen on IP

    Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.

    Use FQDN

    Specify an FQDN for the FortiClient EMS server.

     

    FQDN

    Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.

    Remote HTTPS access

    Specify settings for remote administration access to FortiClient EMS.

    Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname box to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.

     

    Pre-defined hostname

    Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.

     

    Custom hostname

    Available when Remote HTTPS Access is turned on. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.

     

    Redirect HTTP request to HTTPS

    Available when Remote HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.

    SSL certificate

     

    Displays the currently imported SSL certificate. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

     

    Browse and upload a new SSL certificate file.

    Password

     

    Configure a new SSL password.

  3. Configure the following options under EMS Settings. These settings are used by FortiClient EMS managing Windows, macOS, and Linux endpoints:

    Listen on port

    Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.

    DHCP onnet/offnet

    Monitor endpoints within the company network (onnet). Endpoints that are connected to FortiClient EMS from outside the company network are offnet endpoints. See Determining onnet/offnet status.

    Enable TLS 1.0/1.1

    Enable TLS 1.0 and 1.1 for file downloads.

    You must enable this option when upgrading FortiClient on a Windows 7 device via FortiClient EMS.

    FortiClient download URL

    FortiClient deployment packages created in FortiClient EMS are available for download at this URL.

     

    Open port 10443 in Windows Firewall

    Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.

    Sign software packages

    Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.

     

    Timestamp server

    Enter the server address to timestamp software installers with.

     

    Certificate

    Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.

     

    Password

    Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.

  4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
  5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:

    Listen on port

    Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.

    User inactivity timeout

    Enter the number of hours of inactivity after which to timeout the user.

    Profile update interval

    Specify the profile update interval (in seconds).

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file. See Adding SSL certificates to FortiClient EMS for Chromebook endpoints.

    Password

    Configure a new SSL password.

    Service account

    Displays the service account ID currently in use.

    Update service account

    Update the service account with new credentials.

    Reset service account

    In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You need to Save the settings for the change to take effect.

    ID

    Available if the Update service account button is clicked. Enter a new service account ID.

    Private key

    Available if the Update service account button is clicked. Upload a new service account private key.

  6. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the FSSO protocol between EMS and FortiOS.

    SSL certificate

    Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.

    Certificate

    Browse and upload a new SSL certificate file.

    Password

    Configure a new SSL password.

  7. Click Save.

Determining onnet/offnet status

There are two settings in EMS that affect FortiClient onnet/offnet status:

  • DHCP onnet/offnet
  • System Settings > Endpoint Control > On-Net Subnets on the endpoint's assigned profile. See System Settings.

The table below shows how the DHCP onnet/offnet and On-Net Subnets settings and Option 224 serial number affect the endpoint's onnet/offnet status. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and onnet with that FortiGate.

DHCP onnet/offnet

On-Net Subnets

Option 224 serial number

Resulting endpoint status

Disabled

Disabled

N/A

When onnet subnets are not configured, onnet/offnet status is related to the endpoint's online/offline status (whether it is connected to EMS). An online status causes the endpoint to be onnet, while an offline status causes the endpoint to be offnet.

Enabled

Disabled

Not configured

Same as above.

Enabled

Disabled

Configured

Onnet

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is onnet with that FortiGate.

Disabled or enabled

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

Configured or not

Onnet

The endpoint is inside the onnet networks configured in On-Net Subnets.

Disabled or enabled

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

Configured or not

Offnet

The endpoint is outside the onnet networks configured in On-Net Subnets.

The following are examples on how FortiClient determines the endpoint status when connected to EMS only. For details on how FortiClient determines onnet/offnet status in managed mode with FortiGate and EMS, see the FortiClient Administration Guide.

An endpoint has an offline offnet status when it cannot connect FortiClient Telemetry to EMS and is outside one of the onnet networks.

An endpoint has an offline onnet status when it cannot connect FortiClient Telemetry to EMS but is inside one of the onnet networks.