Fortinet black logo

HA with Multiple Databases Deployment Guide

Home FortiClient 7.0.0 HA with Multiple Databases Deployment Guide
7.0.0
7.2.0
7.0.0

Frequently asked questions

Frequently asked questions

How many EMS licenses does this configuration require?

This configuration requires one license. You upload this unit to the active EMS as Configuring EMS HA describes.

Is there a preempt feature like in FortiOS high availability configuration?

No, there is no preempt feature. For example, if EMS-1 is the active unit and there is a service disruption in EMS-1, EMS-2 takes over as the active unit.

When EMS-1 comes back online, EMS-2 remains as the active unit until there are service disruptions. There is no fixed active unit.

The DNS A record has round robin enabled, meaning that FortiClient sometimes connects to the passive EMS. What is the effect of this?

During initial registration, FortiClient connects to the EMS physical IP address, based on the DNS server response. There are two scenarios:

  • The DNS server responds with the active EMS IP address. FortiClient connects to EMS without issue.
  • The DNS server responds with the passive EMS IP address. FortiClient connects to the passive EMS, but receives a TCP reset (RST) from the server. After three TCP RSTs, FortiClient automatically switches and connects to the active EMS. Due to this behavior, FortiClient registration to EMS has a slight delay.

In the following screenshot, 192.168.138.73 is the passive EMS. You can see a RST packet reply from the passive EMS to FortiClient. After a while, FortiClient switches and connects to the active EMS.

FortiClient Telemetry connections behave in the same manner.

What services run on the passive EMS server?

Only the FortiClient Endpoint Management Server Monitor Service runs on the passive EMS server.

After failover occurs and the passive EMS server changes its status to become the active EMS server, all other EMS services automatically start running.

Previous
Next

Frequently asked questions

How many EMS licenses does this configuration require?

This configuration requires one license. You upload this unit to the active EMS as Configuring EMS HA describes.

Is there a preempt feature like in FortiOS high availability configuration?

No, there is no preempt feature. For example, if EMS-1 is the active unit and there is a service disruption in EMS-1, EMS-2 takes over as the active unit.

When EMS-1 comes back online, EMS-2 remains as the active unit until there are service disruptions. There is no fixed active unit.

The DNS A record has round robin enabled, meaning that FortiClient sometimes connects to the passive EMS. What is the effect of this?

During initial registration, FortiClient connects to the EMS physical IP address, based on the DNS server response. There are two scenarios:

  • The DNS server responds with the active EMS IP address. FortiClient connects to EMS without issue.
  • The DNS server responds with the passive EMS IP address. FortiClient connects to the passive EMS, but receives a TCP reset (RST) from the server. After three TCP RSTs, FortiClient automatically switches and connects to the active EMS. Due to this behavior, FortiClient registration to EMS has a slight delay.

In the following screenshot, 192.168.138.73 is the passive EMS. You can see a RST packet reply from the passive EMS to FortiClient. After a while, FortiClient switches and connects to the active EMS.

FortiClient Telemetry connections behave in the same manner.

What services run on the passive EMS server?

Only the FortiClient Endpoint Management Server Monitor Service runs on the passive EMS server.

After failover occurs and the passive EMS server changes its status to become the active EMS server, all other EMS services automatically start running.

Previous
Next