Fortinet black logo

EMS Administration Guide

Licensing EMS in an air-gapped network

Licensing EMS in an air-gapped network

If you are deploying EMS in an air-gapped or isolated network where EMS cannot access the Internet, you can configure EMS to receive updates from FortiManager to deploy to FortiClient. In offline mode, FortiManager allows export and import of FortiGuard packages from FortiManager for provisioning as a FortiGuard distribution server. You can export FortiGuard packages from an online FortiManager to import to an offline FortiManager that provides signature, engine, and FortiClient installer updates to EMS. EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan, and Sandbox signatures and engines updates and FortiClient installers from FortiManager and deploys updates to FortiClient while in an air-gapped or isolated network.

This feature is also useful if you have experienced hardware failure and need to install EMS on another server. Fortinet customer support can provide a key file to allow you to apply your original license to EMS on the new server.

To configure EMS for an air-gapped network:
  1. Contact Fortinet Customer Service & Support. Provide them with your original EMS license file and the IP address of the new machine where you install EMS. They provide you with a key file.
  2. Install EMS. See Installing FortiClient EMS.
  3. Go to System Settings > EMS settings. Ensure that the value in the Listen on IP field matches the IP address that you gave to Customer Service & Support in step 1. Otherwise, EMS cannot validate the key file.
  4. In EMS, on the License Information widget, select Config License.
  5. For License Source, select File Upload.
  6. In License File, browse to and upload your original license file.
  7. EMS detects that the hardware ID associated with the license has changed and prompts you to upload the key file. Browse to and upload the key file that Customer Service & Support provided to you. If the key file matches the license file, the EMS license is activated.

  8. Enable EMS to use FortiManager for signature updates:
    1. Go to System Settings > FortiGuard Servings.
    2. Enable Use FortiManager for client software/signature updates.
    3. Configure the fields for the desired FortiManager.
    4. Click Save.
  9. Enable endpoint profiles to use FortiManager for signature updates:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Select the desired profile.
    3. On the System Settings tab, under Update, enable Use FortiManager for Client Signature Update.
    4. Configure the fields for the same FortiManager as you configured in step 8.
    5. Configure the update schedule as desired.
    6. Click Save.

Licensing EMS in an air-gapped network

If you are deploying EMS in an air-gapped or isolated network where EMS cannot access the Internet, you can configure EMS to receive updates from FortiManager to deploy to FortiClient. In offline mode, FortiManager allows export and import of FortiGuard packages from FortiManager for provisioning as a FortiGuard distribution server. You can export FortiGuard packages from an online FortiManager to import to an offline FortiManager that provides signature, engine, and FortiClient installer updates to EMS. EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan, and Sandbox signatures and engines updates and FortiClient installers from FortiManager and deploys updates to FortiClient while in an air-gapped or isolated network.

This feature is also useful if you have experienced hardware failure and need to install EMS on another server. Fortinet customer support can provide a key file to allow you to apply your original license to EMS on the new server.

To configure EMS for an air-gapped network:
  1. Contact Fortinet Customer Service & Support. Provide them with your original EMS license file and the IP address of the new machine where you install EMS. They provide you with a key file.
  2. Install EMS. See Installing FortiClient EMS.
  3. Go to System Settings > EMS settings. Ensure that the value in the Listen on IP field matches the IP address that you gave to Customer Service & Support in step 1. Otherwise, EMS cannot validate the key file.
  4. In EMS, on the License Information widget, select Config License.
  5. For License Source, select File Upload.
  6. In License File, browse to and upload your original license file.
  7. EMS detects that the hardware ID associated with the license has changed and prompts you to upload the key file. Browse to and upload the key file that Customer Service & Support provided to you. If the key file matches the license file, the EMS license is activated.

  8. Enable EMS to use FortiManager for signature updates:
    1. Go to System Settings > FortiGuard Servings.
    2. Enable Use FortiManager for client software/signature updates.
    3. Configure the fields for the desired FortiManager.
    4. Click Save.
  9. Enable endpoint profiles to use FortiManager for signature updates:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Select the desired profile.
    3. On the System Settings tab, under Update, enable Use FortiManager for Client Signature Update.
    4. Configure the fields for the same FortiManager as you configured in step 8.
    5. Configure the update schedule as desired.
    6. Click Save.