This document provides information about deploying FortiClient EMS using AWS Relational Database Service (RDS) Microsoft SQL Server. It aims to provide a step-by-step guide on EMS high availability (HA) with some basic coverage of AWS services. There may be some inaccuracies as regards to AWS services. Do not use this guide for AWS architectural design.
The example deployment that this document describes uses the following components:
- Two EC2 instances for EMS primary and secondary nodes
- Amazon FSx file system for network file share
- RDS Microsoft SQL Server
Before deploying virtual machine (VM) instances in AWS, review the following:
This deployment consists of the following steps:
- Deploy VMs in AWS. See To deploy VMs in AWS:.
- Launch RDS Microsoft SQL Server. See To launch RDS Microsoft SQL Server:.
- Set up an FSx file system. See To set up an FSx file system:.
- Install EMS. See To install EMS:.
- Set up health check and Route53 DNS for failover. See To set up health check and Route 53 DNS for failover:.
- Restore a database (DB). See To restore a DB:.
This example configures EMS nodes in the same zone. You can also deploy the EMS nodes in different zones.
- In the AWS console, search for EC2.
- Select Launch Instance.
- Configure the basic configuration fields as follows:
- Configure Network Settings as follows:
- Assign the desired VPC and subnet.
- Enable Auto-assign public IP.
- Select the desired security group.
- Configure other settings as desired, then launch the instance. This example uses default settings.
- Repeat steps 2-5 to launch the secondary EMS instance.
- For both EMS instances, configure security group inbound ports and allow access to the following ports:
EMS web access
FortiGate Fortinet Security Fabric connection
FortiClient package deployment
- In the AWS console, search for RDS.
- Select Create Database. This example uses Standard create.
- For Engine options, select Microsoft SQL Server. This example uses SQL Server Standard Edition.
- Configure settings as follows:
- Set the DB instance identifier.
- Set the desired master username and password.
- For SQL instance compute configuration, see Management capacity. This example uses Standard classes.
- Configure Storage settings and Availability & Durability as required.
- Configure Connectivity Settings as follows:
- Select Don't connect to an EC2 compute resource.
- Assign a VPC and subnet to the instance. This example enables public access.
- Assign a security group with inbound access enabled for the SQL port. In this example, the port is 1433.
- Configure other settings as desired, and create the DB.
Sharing files between EMS nodes relies on network fileshares. AWS FSx uses Active Directory (AD) for setup. This example uses a self-managed Microsoft AD and an EC2 AD instance set up on AWS which also acts as a DNS server. Both EMS nodes can reach AD and resolve FQDN. Ensure that the AD domain controller and DNS server are reachable from FSx. Before setup, see Prerequisites for using a self-managed Microsoft AD.
Both EMS nodes should be able to reach the FSx fileshare. In this example, FSx and the EMS nodes are in the same VPC and subnet. If they are in different VPCs, establish VPC peering for reachability. See .Create a VPC peering connection.
- In the AWS console, search for FSx.
- Create a new file system:
- Select Amazon FSx for Windows File Server.
- Configure a desired name for the file system. This example uses Single-AZ 2.
- For Storage type, select SSD.
- Enter the desired storage capacity.
- Configure Network & Security as follows:
- Assign a VPC and subnet to the file system.
- Select the desired security group. Ensure that the inbound ports are opened as Prerequisites for using a self-managed Microsoft AD describes.
- Configure Windows authentication as follows:
- For user authentication, select Self-managed Microsoft Active Directory.
- In the Active Directory domain name field, enter the AD domain name.
- In the DNS server IP addresses field, enter the DNS server IP address.
- In the Service account username and Service account password fields, enter credentials for the desired account with delegated permissions. See Prerequisites for using a self-managed Microsoft AD for service account permissions.
- Configure other settings as desired, then create the file system.
- To obtain the fileshare URL, highlight the FSx and select Attach. In this example, the URL is file:////amznfsxbgatdbyn.aws-emsha.com/share. You use this URL during EMS installation.
During EMS installation, the installer mounts fileshares as the W:\ drive. Ensure that the W:\ drive is free on all EMS nodes.
- Start the EMS installation on the primary node using the following command:
FortiClientEndpointManagementServer_7.0.8._x64.exe SQLServer=<AWS_RDS_FQDN> SQLPort=<AWS_SQL_port> PaaS=aws SQLUser=<SQL_user> SQLUserPassword=<SQL_password> InstallSQL=0 ScriptDB=1 FileStorageNic= FileStorageNicUser= FileStorageNicPass=
The following table describes the command parameters:
Informs EMS that it will connect to an AWS RDS.
Specifies that this is the primary node.
FileStorageNicUserformat is domain\username. The user should have read/write permissions to the share.
The following provides an example command:
SQLServer=mssqldb.awsmssql12345.us-east-1.rds.amazonaws.com SQLPort=1433 PaaS=aws SQLUser=awssql SQLUserPassword=Passowrd123! InstallSQL=0 ScriptDB=1 FileStorageNic= \\amznfsxbgatdbyn.aws-emsha.com\share FileStorageNicUser=aws-emsha.com\Administrator FileStorageNicPass=)J(Sz2W5RKAoA4.Hgq87GH=q
When installation completes, a mapped drive for the fileshare is created.
Start the EMS installation on the secondary node using the following command:
FortiClientEndpointManagementServer_7.0.8._x64.exe SQLServer= mssqldb.awsmssql12345.us-east-1.rds.amazonaws.com SQLPort=1433 PaaS=aws SQLUser= awssql SQLUserPassword=Password123! InstallSQL=0 ScriptDB=0 FileStorageNic= \\amznfsxbgatdbyn.aws-emsha.com\share FileStorageNicUser=aws-emsha.com\Administrator FileStorageNicPass=)J(Sz2W5RKAoA4.Hgq87GH=q
ScriptDB=0indicates that this is the secondary node.
- In AWS, search for and select Route 53.
- From the navigation pane, select Health Checks.
- Click Create health check.
- Configure the following:
- For What to monitor, select Endpoint.
- For Specify endpoint by, select either option.
- Enter the EMS primary node domain name or IP address.
- From the Protocol dropdown list, select TCP.
- In the Port field, enter 8013.
- Create the health check.
- Repeat steps 3-4 for the EMS secondary node.
- Check the status on the health check page. The primary node status is healthy and the secondary node status is unhealthy.
- You must configure the FQDN to use for EMS HA in a Route 53-hosted zone to effectively send traffic to the correct EMS based on availability. In this example, the FQDN is fctemsha.aws-emsha.com. You can configure this on EMS in System Settings > EMS Settings. For this example, configuration is as follows:
- Select to create a hosted zone, and enter the domain name.
- For Type, select Public hosted zone. Create the zone. You should register the domain before adding it to a hosted zone. You can use AWS domain registration services to register a domain if not already registered.
- After AWS creates the hosted zone, select the zone and create a record.
- Configure the record:
- From the Record type dropdown list, select CNAME.
- In the Value field, enter the primary EMS node domain name.
- From the Routing policy dropdown list, select Failover.
- From the Failover record type dropdown list, select Primary.
- In the Health check ID field, enter the EMS primary node health check ID.
- In the Record ID field, enter a unique record ID.
- Repeat steps c-i to create a record for the secondary EMS node. For Failover record type, select Secondary. In the Health check ID field, enter the EMS secondary node health check ID.
When using an AWS RDS, EMS cannot manage database backups or restore backups generated from another EMS instance. Therefore, these functionalities are disabled during EMS installation. Taking a database snapshot from the AWS console and restoring the snapshot is the preferred backup and restore method. This deployment does not support restoring EMS using a regular SQL Server backup or upgrading EMS from an existing SQL server installation to an EMS with AWS RDS.
- In the AWS console, go to the RDS DB.
- From the navigation pane, select Snapshots > Take snapshot.
- Select the desired DB instance.
- Enter the desired snapshot name.
- Select Actions > Restore snapshot.
- Restoring a snapshot requires a new RDS DB instance creation. Follow the steps in To launch RDS Microsoft SQL Server:.
- Update EMS to point to the new RDS instance:
- On the primary EMS node, go to C:\Program Files (x86)\Fortinet\FortiClientEMS.
- Open das.conf in a text editor.
- Update the Server field to the new RDS instance.
- Open db.conf in a text editor.
- Update the Server field to the new RDS instance.
- Repeat steps a-g on the EMS secondary node.