Fortinet white logo
Fortinet white logo

EMS Administration Guide

Required services and ports

Required services and ports

You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient deployment packages that FortiClient EMS created

TCP

10443 (default)

Incoming

Installer

Web Filter custom page download

Downloading custom Web Filter pages that the administrator created in EMS

TCP

10443 (default)

Incoming

N/A

Antivirus (AV) allowlist signature download

Downloading AV allowlist signatures.

TCP

10443 (default)

Incoming

N/A

Apache/HTTPS

Web access to FortiClient EMS

Also required for the ACME feature.

TCP

443

Incoming

Installer

SMTP server/email

Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

Communication with FortiOS

EMS is the server that opens up the port for FortiOS to connect to as a client.

TCP

8015

Incoming

N/A

ACME

EMS can use certificates that Let's Encrypt and other certificate management services that use the ACME protocol manage.

This feature also requires port 443.

See Adding an SSL certificate to FortiClient EMS.

TCP

80

Incoming

N/A

License synchronization

FortiCare login (support.fortinet.com) to synchronize licenses

TCP

443

Outgoing

N/A

FortiCloud

FortiCloud services (forticlient.forticloud.com)

TCP

443

Outgoing

N/A

SCEP service

Installing zero trust network access certificate

TCP

40001, 40002

Incoming

N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connecting to the profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

Rating URLs

TCP

443, 3400

Outgoing

N/A

FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates and FortiClient and EMS installer downloads. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update and FortiClient installer downloads

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast and FortiClient installer package download

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

FortiClient EMS can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following table summarizes required services for FortiClient EMS to communicate with FortiClient Cloud Sandbox (SaaS):

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

TCP

443 (default)

Outgoing

N/A
note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.

Required services and ports

Required services and ports

You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

FortiClient endpoint management

TCP

8013 (default)

Incoming

Installer/GUI

Active Directory server connection

Retrieving workstation and user information

TCP

389 (LDAP) or

636 (LDAPS)

Outgoing

GUI

FortiClient download

Downloading FortiClient deployment packages that FortiClient EMS created

TCP

10443 (default)

Incoming

Installer

Web Filter custom page download

Downloading custom Web Filter pages that the administrator created in EMS

TCP

10443 (default)

Incoming

N/A

Antivirus (AV) allowlist signature download

Downloading AV allowlist signatures.

TCP

10443 (default)

Incoming

N/A

Apache/HTTPS

Web access to FortiClient EMS

Also required for the ACME feature.

TCP

443

Incoming

Installer

SMTP server/email

Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.

TCP

25 (default)

Outgoing

GUI

FortiClient endpoint probing

FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.

ICMP

N/A

Outgoing

N/A

Communication with FortiOS

EMS is the server that opens up the port for FortiOS to connect to as a client.

TCP

8015

Incoming

N/A

ACME

EMS can use certificates that Let's Encrypt and other certificate management services that use the ACME protocol manage.

This feature also requires port 443.

See Adding an SSL certificate to FortiClient EMS.

TCP

80

Incoming

N/A

License synchronization

FortiCare login (support.fortinet.com) to synchronize licenses

TCP

443

Outgoing

N/A

FortiCloud

FortiCloud services (forticlient.forticloud.com)

TCP

443

Outgoing

N/A

SCEP service

Installing zero trust network access certificate

TCP

40001, 40002

Incoming

N/A

The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient on Chrome OS

Connecting to FortiClient EMS

TCP

8443 (default)

You can customize this port.

Incoming

GUI

Google Workspace API/Google domain directory

Retrieving Google domain information using API calls

TCP

443

Outgoing

N/A

You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS

Connecting to the profile server

TCP

8443 (default)

Outgoing

Via Google Admin console when adding the profile

FortiGuard

Rating URLs

TCP

443, 3400

Outgoing

N/A

FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates and FortiClient and EMS installer downloads. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

AV/vulnerability signature update and FortiClient installer downloads

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast and FortiClient installer package download

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

FortiClient EMS can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following table summarizes required services for FortiClient EMS to communicate with FortiClient Cloud Sandbox (SaaS):

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient EMS Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

TCP

443 (default)

Outgoing

N/A
note icon

For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.