Fortinet black logo

EMS Administration Guide

Required services and ports

Required services and ports

You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Samba (SMB) service

FortiClient EMS uses the SMB service during FortiClient initial deployment.

TCP

445

Outgoing

N/A

Distributed Computing Environment/Remote Procedure Calls (DCE/RPC)

FortiClient EMS connects to endpoints using RPC for FortiClient initial deployment.

TCP

135

1024-5000*

49152-65535*

Outgoing

You can configure ranges noted with *. See How to configure RPC dynamic port allocation to work with firewalls.

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient deployment packages created by FortiClient EMS

TCP

10443 (default)

Incoming

Installer

Web Filter custom page download

Downloading custom Web Filter pages that the administrator created in EMS.

TCP

10443 (default)

Incoming

N/A

Antivirus (AV) allowlist signature download

Downloading AV allowlist signatures.

TCP

10443 (default)

Incoming

N/A

Apache/HTTPS

Web access to FortiClient EMS.

Also required for the ACME feature.

TCP

443

Incoming

Installer

SMTP server/email

Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

FSSO

Connection to FortiOS.

TCP

8000

Incoming

N/A

Communication with FortiOS

EMS is the server that opens up the port for FortiOS to connect to as a client.

TCP

8015

Incoming

N/A

ACME

EMS can use certificates that are managed by Let's Encrypt and other certificate management services that use the ACME protocol.

This feature also requires port 443.

See Adding an SSL certificate to FortiClient EMS.

TCP

80

Incoming

N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connecting to the profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

Rating URLs

TCP

443, 3400

Outgoing

N/A

FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.

Required services and ports

You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Samba (SMB) service

FortiClient EMS uses the SMB service during FortiClient initial deployment.

TCP

445

Outgoing

N/A

Distributed Computing Environment/Remote Procedure Calls (DCE/RPC)

FortiClient EMS connects to endpoints using RPC for FortiClient initial deployment.

TCP

135

1024-5000*

49152-65535*

Outgoing

You can configure ranges noted with *. See How to configure RPC dynamic port allocation to work with firewalls.

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient deployment packages created by FortiClient EMS

TCP

10443 (default)

Incoming

Installer

Web Filter custom page download

Downloading custom Web Filter pages that the administrator created in EMS.

TCP

10443 (default)

Incoming

N/A

Antivirus (AV) allowlist signature download

Downloading AV allowlist signatures.

TCP

10443 (default)

Incoming

N/A

Apache/HTTPS

Web access to FortiClient EMS.

Also required for the ACME feature.

TCP

443

Incoming

Installer

SMTP server/email

Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

FSSO

Connection to FortiOS.

TCP

8000

Incoming

N/A

Communication with FortiOS

EMS is the server that opens up the port for FortiOS to connect to as a client.

TCP

8015

Incoming

N/A

ACME

EMS can use certificates that are managed by Let's Encrypt and other certificate management services that use the ACME protocol.

This feature also requires port 443.

See Adding an SSL certificate to FortiClient EMS.

TCP

80

Incoming

N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connecting to the profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

Rating URLs

TCP

443, 3400

Outgoing

N/A

FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.