Fortinet black logo

EMS Administration Guide

Azure SQL managed instance

Azure SQL managed instance

You can deploy EMS using an Azure SQL managed instance. Azure provides two SQL-based offerings: Azure SQL managed instances and Azure SQL databases, which are mutually incompatible. EMS only supports Azure SQL managed instances. Azure SQL databases do not provide all features that EMS requires.

The following example deploys Azure virtual machines (VM) for EMS nodes. However, the deployment also supports on-premise EMS instances. You can set up on-premise EMS nodes outside of the Azure environment.

The deployment consists of the following steps:

  1. Deploy VMs in Azure. See To deploy VMs in Azure:.
  2. Install an Azure SQL managed instance. See To install an Azure SQL managed instance:.
  3. Configure file sharing. See To configure file sharing:.
  4. Install EMS. See To install EMS:.

The document also provides information on backing up and restoring a database on EMS when using this deployment. See To restore a database:.

To deploy VMs in Azure:
  1. In the Azure marketplace, select the desired VM listing.
  2. Click Create, then Create a virtual machine hosted by Azure.
  3. Configure the basic configuration fields as follows:
    1. If you require VM redundancy, select the desired availability option. Otherwise, select No infrastructure redundancy required.
    2. Select the desired VM image. See Management capacity.
    3. Configure other fields as desired. Click Next.
  4. For OS disk type, select Premium SSD. Click Next.
  5. Configure network settings:
    1. Create a virtual network (VNet) if it is not already configured.
    2. Create a public IP address if you require outside communication.
  6. Configure other settings as desired, then create the VM. This example uses default settings.
  7. For both EMS nodes, configure security group inbound ports and allow access to ports 8013, 443, 8015, 10443, and 8443 for endpoint connection, EMS web access, FortiGate Fortinet Security Fabric connection, FortiClient package deployment, and Chromebook access.

To install an Azure SQL managed instance:
  1. In the Azure marketplace, search for SQL managed instance.
  2. Click Create.
  3. When configuring the number of vCores and the storage size, consider the sizing guidelines in Management capacity. Configure other fields as desired, then click Next.
  4. Configure network settings:
    1. From the Virtual network / subnet dropdown list, select the EMS servers' VNet.
    2. For the Connection type (VNet-local endpoint) dropdown list, leave the default value, Proxy (Default).
    3. If the EMS server may need to access this SQL instance over the Internet, enable Public endpoint (data). Otherwise, disable this option.
  5. Configure other settings as desired, then create the instance.
  6. After deployment finishes, go to Settings > Connection strings. Note the SQL database FQDN and listen port. The EMS installation requires these values.

  7. If you plan to have the EMS server access the SQL database publicly, go to the SQL managed instance network security group and add an inbound rule to allow access for port 3342.
To configure file sharing:

Sharing files between EMS nodes relies on network shares that only the EMS nodes can access. If you deploy on-premise EMS nodes, you can use a shared folder. For this deployment, where you deploy the EMS nodes on Azure, file sharing uses Azure blob file share.

  1. Create a storage account:
    1. In the Azure marketplace, search for storage account.
    2. Click Create.
    3. For Performance, select Premium.
    4. From the Premium account type dropdown list, select Block blobs. Configure other fields as desired, then click Next.
    5. On the Advanced tab, leave the default settings. Click Next.
    6. Under Public network access, select Enabled from selected virtual networks and IP addresses.
    7. Under Virtual networks, select the EMS server VNet.
    8. Set Routing Preference to Microsoft network routing.
    9. Leave the default settings for data protection and encryption. Proceed to create the account.
  2. Once Azure creates the storage account, verify the following settings under Configuration:
    1. Secure Transfer required is disabled.
    2. Blob public access is enabled.
    3. Storage account key access is enabled.
    4. Version 1.2 is configured for minimum TLS version.
  3. Go to Security + networking > Networking.
  4. Under Firewall, add IP addresses to allow access from the Internet.
  5. Enable Allow Azure services on the trusted services list to access this storage account.
  6. Go to Data storage > File shares.
  7. Create a file share.
  8. From the context menu, click Connect, then select Show Script.
  9. Note the path, username, and password values to use during EMS installation.

To install EMS:

Do one of the following:

  1. If installing EMS on nodes in Azure, do the following:
    1. During EMS installation, the installer mounts file shares as the W:\ drive. Ensure that the W:\ drive is free on all EMS nodes.
    2. Start the EMS installation on the primary node using the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=<Azure SQL FQDN> SQLPort=<Azure SQL port> PaaS=azure SQLUser=<SQL user> SQLUserPassword=<SQL password> InstallSQL=0 ScriptDB=1 FileStorageNic= FileStorageNicUser= FileStorageNicPass=

      Parameter

      Description

      PaaS=azure

      Informs EMS that it will connect to an Azure SQL managed instance.

      FileStorageNic

      Fileshare path.

      FileStorageNicUser

      Fileshare username.

      FileStorageNicPass

      Fileshare password.

      ScriptDB=1

      Specifies that this is the primary node.

      The following provides an example command: SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=Password123# InstallSQL=0 ScriptDB=1 FileStorageNic= \\fileshare.file.core.windows.net\storage FileStorageNicUser=localhost\fileshare FileStorageNicPass= TfXCxJkNP4kbzR78GhOYYxcZS22hGQ+lMcke

      After installation completes, a mapped drive for the fileshare is created.

    3. Start the EMS installation on the secondary node using the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=Password123# InstallSQL=0 ScriptDB=0 FileStorageNic= \\fileshare.file.core.windows.net\storage FileStorageNicUser=localhost\fileshare FileStorageNicPass= TfXCxJkNP4kbzR78GhOYYxcZS22hGQ+lMcke

      ScriptDB=0 indicates that this is the secondary node.

      For Azure traffic manager setup in an Azure environment, see Fabric connection setup using traffic manager.

  2. If installing on-premise EMS, do the following:
    1. Create and share a folder on the network. This share folder is mounted as a drive during EMS installation.
    2. Install EMS on the primary node with the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=<Azure_SQL_FQDN> SQLPort=<Azure_SQL_Port> PaaS=azure SQLUser=<SQL User> SQLUserPassword=<SQL_Password> InstallSQL=0 ScriptDB=1 FileStorageNic= FileStorageNicUser= FileStorageNicPass=.

      The following provides an example command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=AzureSql123!@# InstallSQL=0 ScriptDB=1 FileStorageNic= \\Server\emsshare FileStorageNicUser=LAB\administrator FileStorageNicPass= Admin123!

      Parameter

      Description

      FileStorageNic

      Fileshare path.

      FileStorageNicUser

      Username for account with read/write/modify permissions to the shared folder.

      FileStorageNicPass

      Password for account with read/write/modify permissions to the shared folder.

    3. Install EMS on the secondary node with the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=AzureSql123!@# InstallSQL=0 ScriptDB=0 FileStorageNic= \\Server\emsshare FileStorageNicUser=LAB\administrator FileStorageNicPass= Admin123!
To restore a database:

When using an Azure SQL managed instance database, EMS cannot manage database backups or restore backups generated from another EMS instance. Azure provides a comprehensive dashboard to set up and managed automatic database backups. This is the recommended method of database restore and backup for this deployment. Restoring a regular SQL server backup and upgrading EMS from an existing SQL server installation to an EMS with Azure SQL managed instance database is not supported.

  1. In the Azure portal, go to Databases.
  2. Select the FCM database.
  3. Click Restore.
  4. Enter a unique name.
  5. Repeat the process for all EMS databases.
  6. Log in to SQL Server Management Studio and confirm that it lists the backup databases.
  7. To restore a database, delete the original database from the Azure portal.
  8. Rename the backup database to the original name using the following command. For example, to restore the FCM_backup database, rename it to FCM as follows: ALTER DATABASE [FCM_backup] MODIFY NAME = [FCM].

Azure SQL managed instance

You can deploy EMS using an Azure SQL managed instance. Azure provides two SQL-based offerings: Azure SQL managed instances and Azure SQL databases, which are mutually incompatible. EMS only supports Azure SQL managed instances. Azure SQL databases do not provide all features that EMS requires.

The following example deploys Azure virtual machines (VM) for EMS nodes. However, the deployment also supports on-premise EMS instances. You can set up on-premise EMS nodes outside of the Azure environment.

The deployment consists of the following steps:

  1. Deploy VMs in Azure. See To deploy VMs in Azure:.
  2. Install an Azure SQL managed instance. See To install an Azure SQL managed instance:.
  3. Configure file sharing. See To configure file sharing:.
  4. Install EMS. See To install EMS:.

The document also provides information on backing up and restoring a database on EMS when using this deployment. See To restore a database:.

To deploy VMs in Azure:
  1. In the Azure marketplace, select the desired VM listing.
  2. Click Create, then Create a virtual machine hosted by Azure.
  3. Configure the basic configuration fields as follows:
    1. If you require VM redundancy, select the desired availability option. Otherwise, select No infrastructure redundancy required.
    2. Select the desired VM image. See Management capacity.
    3. Configure other fields as desired. Click Next.
  4. For OS disk type, select Premium SSD. Click Next.
  5. Configure network settings:
    1. Create a virtual network (VNet) if it is not already configured.
    2. Create a public IP address if you require outside communication.
  6. Configure other settings as desired, then create the VM. This example uses default settings.
  7. For both EMS nodes, configure security group inbound ports and allow access to ports 8013, 443, 8015, 10443, and 8443 for endpoint connection, EMS web access, FortiGate Fortinet Security Fabric connection, FortiClient package deployment, and Chromebook access.

To install an Azure SQL managed instance:
  1. In the Azure marketplace, search for SQL managed instance.
  2. Click Create.
  3. When configuring the number of vCores and the storage size, consider the sizing guidelines in Management capacity. Configure other fields as desired, then click Next.
  4. Configure network settings:
    1. From the Virtual network / subnet dropdown list, select the EMS servers' VNet.
    2. For the Connection type (VNet-local endpoint) dropdown list, leave the default value, Proxy (Default).
    3. If the EMS server may need to access this SQL instance over the Internet, enable Public endpoint (data). Otherwise, disable this option.
  5. Configure other settings as desired, then create the instance.
  6. After deployment finishes, go to Settings > Connection strings. Note the SQL database FQDN and listen port. The EMS installation requires these values.

  7. If you plan to have the EMS server access the SQL database publicly, go to the SQL managed instance network security group and add an inbound rule to allow access for port 3342.
To configure file sharing:

Sharing files between EMS nodes relies on network shares that only the EMS nodes can access. If you deploy on-premise EMS nodes, you can use a shared folder. For this deployment, where you deploy the EMS nodes on Azure, file sharing uses Azure blob file share.

  1. Create a storage account:
    1. In the Azure marketplace, search for storage account.
    2. Click Create.
    3. For Performance, select Premium.
    4. From the Premium account type dropdown list, select Block blobs. Configure other fields as desired, then click Next.
    5. On the Advanced tab, leave the default settings. Click Next.
    6. Under Public network access, select Enabled from selected virtual networks and IP addresses.
    7. Under Virtual networks, select the EMS server VNet.
    8. Set Routing Preference to Microsoft network routing.
    9. Leave the default settings for data protection and encryption. Proceed to create the account.
  2. Once Azure creates the storage account, verify the following settings under Configuration:
    1. Secure Transfer required is disabled.
    2. Blob public access is enabled.
    3. Storage account key access is enabled.
    4. Version 1.2 is configured for minimum TLS version.
  3. Go to Security + networking > Networking.
  4. Under Firewall, add IP addresses to allow access from the Internet.
  5. Enable Allow Azure services on the trusted services list to access this storage account.
  6. Go to Data storage > File shares.
  7. Create a file share.
  8. From the context menu, click Connect, then select Show Script.
  9. Note the path, username, and password values to use during EMS installation.

To install EMS:

Do one of the following:

  1. If installing EMS on nodes in Azure, do the following:
    1. During EMS installation, the installer mounts file shares as the W:\ drive. Ensure that the W:\ drive is free on all EMS nodes.
    2. Start the EMS installation on the primary node using the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=<Azure SQL FQDN> SQLPort=<Azure SQL port> PaaS=azure SQLUser=<SQL user> SQLUserPassword=<SQL password> InstallSQL=0 ScriptDB=1 FileStorageNic= FileStorageNicUser= FileStorageNicPass=

      Parameter

      Description

      PaaS=azure

      Informs EMS that it will connect to an Azure SQL managed instance.

      FileStorageNic

      Fileshare path.

      FileStorageNicUser

      Fileshare username.

      FileStorageNicPass

      Fileshare password.

      ScriptDB=1

      Specifies that this is the primary node.

      The following provides an example command: SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=Password123# InstallSQL=0 ScriptDB=1 FileStorageNic= \\fileshare.file.core.windows.net\storage FileStorageNicUser=localhost\fileshare FileStorageNicPass= TfXCxJkNP4kbzR78GhOYYxcZS22hGQ+lMcke

      After installation completes, a mapped drive for the fileshare is created.

    3. Start the EMS installation on the secondary node using the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=Password123# InstallSQL=0 ScriptDB=0 FileStorageNic= \\fileshare.file.core.windows.net\storage FileStorageNicUser=localhost\fileshare FileStorageNicPass= TfXCxJkNP4kbzR78GhOYYxcZS22hGQ+lMcke

      ScriptDB=0 indicates that this is the secondary node.

      For Azure traffic manager setup in an Azure environment, see Fabric connection setup using traffic manager.

  2. If installing on-premise EMS, do the following:
    1. Create and share a folder on the network. This share folder is mounted as a drive during EMS installation.
    2. Install EMS on the primary node with the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=<Azure_SQL_FQDN> SQLPort=<Azure_SQL_Port> PaaS=azure SQLUser=<SQL User> SQLUserPassword=<SQL_Password> InstallSQL=0 ScriptDB=1 FileStorageNic= FileStorageNicUser= FileStorageNicPass=.

      The following provides an example command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=AzureSql123!@# InstallSQL=0 ScriptDB=1 FileStorageNic= \\Server\emsshare FileStorageNicUser=LAB\administrator FileStorageNicPass= Admin123!

      Parameter

      Description

      FileStorageNic

      Fileshare path.

      FileStorageNicUser

      Username for account with read/write/modify permissions to the shared folder.

      FileStorageNicPass

      Password for account with read/write/modify permissions to the shared folder.

    3. Install EMS on the secondary node with the following command: FortiClientEndpointManagementServer_7.2.X._x64.exe SQLServer=azuresqlemsha.public.123456789.database.windows.net SQLPort=3342 PaaS=azure SQLUser=emsadmin SQLUserPassword=AzureSql123!@# InstallSQL=0 ScriptDB=0 FileStorageNic= \\Server\emsshare FileStorageNicUser=LAB\administrator FileStorageNicPass= Admin123!
To restore a database:

When using an Azure SQL managed instance database, EMS cannot manage database backups or restore backups generated from another EMS instance. Azure provides a comprehensive dashboard to set up and managed automatic database backups. This is the recommended method of database restore and backup for this deployment. Restoring a regular SQL server backup and upgrading EMS from an existing SQL server installation to an EMS with Azure SQL managed instance database is not supported.

  1. In the Azure portal, go to Databases.
  2. Select the FCM database.
  3. Click Restore.
  4. Enter a unique name.
  5. Repeat the process for all EMS databases.
  6. Log in to SQL Server Management Studio and confirm that it lists the backup databases.
  7. To restore a database, delete the original database from the Azure portal.
  8. Rename the backup database to the original name using the following command. For example, to restore the FCM_backup database, rename it to FCM as follows: ALTER DATABASE [FCM_backup] MODIFY NAME = [FCM].