Fortinet black logo

Onboarding for ZTNA Deployment Guide

Home FortiClient 7.2.0 Onboarding for ZTNA Deployment Guide
7.2.0
7.2.0

Deployment overview

Deployment overview

This document provides examples of how an administrator can require users to provide credentials to securely connect and register to EMS as part of enabling zero trust network access. Without requiring user authentication or an invite code, nothing prevents an unauthorized user from registering to your EMS, receiving your configurations, and possibly compromising your security. This deployment guide shows the best practices to securely onboard users to EMS using an invitation code as well as user authentication.

This document includes the following examples:

  • Local authentication
  • Active Directory (AD) LDAP authentication
  • SAML authentication

This document only provides configuration to leverage the aforementioned options for EMS and FortiClient. If you are using LDAP or SAML authentication, it is expected you have existing configuration in your environment for the related systems, such as AD and identity provider.

A simple topology is used to explain the process for each option:

Intended audience

This guide is aimed at administrators who have working knowledge of the option they will be implementing, such as LDAP or SAML, and want the EMS and FortiClient configuration required to complete the onboarding. Administrators will also need familiarity with generating certificates to secure the connection between FortiClient and EMS.

About this guide

For greater security and use with user-based licensing, configuring user onboarding with verification is recommended. By enforcing user verification during the onboarding process, you can secure the connection between EMS and endpoints and block unknown users and endpoints from registering to EMS.

With user-based licensing, a user can register up to three endpoint devices under one user license.

The deployment options discussed in this guide are one implementation of each option. There are some features which are not utilized, and you may need to adapt some steps to suit your environment. It is recommended that readers also review supplementary material found in product administration guides, example guides, cookbooks, release notes, and other documents where appropriate on the Fortinet Document Library.

Previous
Next

Deployment overview

This document provides examples of how an administrator can require users to provide credentials to securely connect and register to EMS as part of enabling zero trust network access. Without requiring user authentication or an invite code, nothing prevents an unauthorized user from registering to your EMS, receiving your configurations, and possibly compromising your security. This deployment guide shows the best practices to securely onboard users to EMS using an invitation code as well as user authentication.

This document includes the following examples:

  • Local authentication
  • Active Directory (AD) LDAP authentication
  • SAML authentication

This document only provides configuration to leverage the aforementioned options for EMS and FortiClient. If you are using LDAP or SAML authentication, it is expected you have existing configuration in your environment for the related systems, such as AD and identity provider.

A simple topology is used to explain the process for each option:

Intended audience

This guide is aimed at administrators who have working knowledge of the option they will be implementing, such as LDAP or SAML, and want the EMS and FortiClient configuration required to complete the onboarding. Administrators will also need familiarity with generating certificates to secure the connection between FortiClient and EMS.

About this guide

For greater security and use with user-based licensing, configuring user onboarding with verification is recommended. By enforcing user verification during the onboarding process, you can secure the connection between EMS and endpoints and block unknown users and endpoints from registering to EMS.

With user-based licensing, a user can register up to three endpoint devices under one user license.

The deployment options discussed in this guide are one implementation of each option. There are some features which are not utilized, and you may need to adapt some steps to suit your environment. It is recommended that readers also review supplementary material found in product administration guides, example guides, cookbooks, release notes, and other documents where appropriate on the Fortinet Document Library.

Previous
Next