Fortinet black logo

Administration Guide

Configuring FortiClient EMS Connector for ZTNA

Configuring FortiClient EMS Connector for ZTNA

The FortiClient Endpoint Management Server (EMS) connector enables you to establish device identity through client certificates and device trust context between FortiClient, FortiClient EMS and the FortiWeb as part of Zero Trust Network Access (ZTNA).

You can register your FortiWeb device as a Fabric Device through the FortiClient EMS connector. When you create a FortiClient EMS connector, FortiWeb sends a request to the FortiClient EMS server to obtain a EMS CA certificate to register your FortiWeb device. From the FortiClient EMS, you can then authorize the FortiWeb as a Fabric Device. Once authorized, the FortiClient EMS connector will display the status as Connected, indicating the device is registered. After the FortiWeb connects to the FortiClient EMS, it automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information.

ZTNA tags are then generated from tagging rules configured on the FortiClient EMS. These tagging rules are based on various posture checks that can be applied on the endpoints.

In FortiClient EMS, do not use special characters such as ", ', and \ in the ZTNA tag name. ZTNA tags that contain these special characters in their name may trigger unexpected behavior when referenced in the ZTNA Profile or in the security logs.

You can create a maximum of three FortiClient EMS connectors.

To create and configure a FortiClient EMS connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under Core Network Security, click FortiClient EMS to display the configuration editor.
  4. Configure the following FortiClient EMS Settings:

    Setting

    Description

    NameSpecify the FortiClient Enterprise Management Server (EMS) name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
    IP/Domain nameSpecify the server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1.
    HTTPS PortSpecify the FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443
  5. Click Save.
    The Verify EMS server certificate dialog displays the following message:
    In order for the FortiClient EMS and FortiWeb to communicate, the following certificate provided by the FortiClient EMS must be reviewed for correctness, and accepted if deemed valid.
    Do you wish to Accept the certificate as detailed below?
  6. After you have verified the EMS server certificate information displayed, click OK to accept the EMS server certificate.
    The Verify completed dialog displays the following message:
    This FortiWeb is not authorized on FortiClient EMS yet. Please let FortiClient EMS to authorize it.
    Note: This message will only appear if the FortiWeb device has not yet been authorized as a Fabric Device through FortiClient EMS.
  7. Click OK.

The newly created FortiClient EMS connector is added to the Security Fabric > Fabric Connectors page, under the Core Network Security section. The FortiClient EMS connector will not be connected until the FortiWeb has been authorized as a Fabric Device in FortiClient EMS.

To authorize the FortiWeb as a Fabric Device in FortiClient EMS:
  1. Log in to FortiClient EMS.
  2. From the FortiClient EMS landing page, the Fabric Device Authorization Requests pop-up displays the Serial Number and IP information of the FortiWeb device. Click Authorize.
  3. Alternatively, you can go to Administration > Fabric Devices and select the Fabric device you want to authorize.
To check and troubleshoot the FortiClient EMS connector connection:
  1. Go to Security Fabric > Fabric Connectors.
  2. Under the Core Network Security section, locate the FortiClient EMS connector configurations.
  3. The and icons indicate whether FortiClient EMS has successfully authorized the FortiWeb Fabric Device for the corresponding FortiClient EMS connector. Hover over the FortiClient EMS connector to see the status details. The table below lists the possible connection statuses for the FortiClient EMS connector.

    Icon

    EMS Status

    Description

    Connected

    The FortiWeb has been successfully authorized as a Fabric Device through FortiClient EMS.

    Cert unauthorized

    (Undefined variable: Deployment Guide.ProductName) does not verify the EMS server's CA certificate. You can edit the FortiClient EMS connector configuration and restart the verification to accept the EMS CA certificate.

    Auth failed

    The EMS server does not authorize the (Undefined variable: Deployment Guide.ProductName), indicating the request is either denied or pending authorization. If pending authorization, the status will change to Connected once authorization is successful on the EMS server.

    Not reachable

    The EMS server was not reachable. Ensure the EMS server IP and system router is properly configured.

    EMS server connection failed

    The EMS server connection failed with unknown issue. For example, an incorrect EMS server port may cause this issue.

    No compatible

    The EMS server connection failed because the server is not compatible with (Undefined variable: Deployment Guide.ProductName).

    Not sent

    The EMS domain name cannot resolve. Ensure proper configuration for the DNS server setting, domain name, and system router.

    If the status is not Connected, edit the FortiClient EMS connector accordingly to troubleshoot the connection issue.

  4. Locate the newly created FortiClient EMS connector, click the FortiClient EMS connector configuration then click Edit, or double click the configuration object to display the configuration editor.
  5. Edit the configuration to troubleshoot the connection issue then click Authorize to restart the verification to accept the EMS CA certificate.
    A request is resent to the FortiClient EMS to authorize the FortiWeb as a Fabric Device in FortiClient EMS. The FortiClient EMS connector will not be connected until the FortiWeb has been authorized as a Fabric Device in FortiClient EMS.

FortiClient EMS for High Availability configurations

In a High Availability group, all the FortiWeb units must be registered to the FortiClient EMS as individual Fabric devices. However, you only need to configure the FortiClient EMS connector on the primary appliance. The configuration will be synchronized to the rest nodes.

Configuring FortiClient EMS Connector for ZTNA

The FortiClient Endpoint Management Server (EMS) connector enables you to establish device identity through client certificates and device trust context between FortiClient, FortiClient EMS and the FortiWeb as part of Zero Trust Network Access (ZTNA).

You can register your FortiWeb device as a Fabric Device through the FortiClient EMS connector. When you create a FortiClient EMS connector, FortiWeb sends a request to the FortiClient EMS server to obtain a EMS CA certificate to register your FortiWeb device. From the FortiClient EMS, you can then authorize the FortiWeb as a Fabric Device. Once authorized, the FortiClient EMS connector will display the status as Connected, indicating the device is registered. After the FortiWeb connects to the FortiClient EMS, it automatically synchronizes ZTNA tags, the EMS CA certificate, and FortiClient endpoint information.

ZTNA tags are then generated from tagging rules configured on the FortiClient EMS. These tagging rules are based on various posture checks that can be applied on the endpoints.

In FortiClient EMS, do not use special characters such as ", ', and \ in the ZTNA tag name. ZTNA tags that contain these special characters in their name may trigger unexpected behavior when referenced in the ZTNA Profile or in the security logs.

You can create a maximum of three FortiClient EMS connectors.

To create and configure a FortiClient EMS connector:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. Under Core Network Security, click FortiClient EMS to display the configuration editor.
  4. Configure the following FortiClient EMS Settings:

    Setting

    Description

    NameSpecify the FortiClient Enterprise Management Server (EMS) name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
    IP/Domain nameSpecify the server IPv4 address or the domain name of the FortiClient EMS FQDN. For example: 192.0.2.1.
    HTTPS PortSpecify the FortiClient EMS HTTPS access port number. Range: 1-65535, default: 443
  5. Click Save.
    The Verify EMS server certificate dialog displays the following message:
    In order for the FortiClient EMS and FortiWeb to communicate, the following certificate provided by the FortiClient EMS must be reviewed for correctness, and accepted if deemed valid.
    Do you wish to Accept the certificate as detailed below?
  6. After you have verified the EMS server certificate information displayed, click OK to accept the EMS server certificate.
    The Verify completed dialog displays the following message:
    This FortiWeb is not authorized on FortiClient EMS yet. Please let FortiClient EMS to authorize it.
    Note: This message will only appear if the FortiWeb device has not yet been authorized as a Fabric Device through FortiClient EMS.
  7. Click OK.

The newly created FortiClient EMS connector is added to the Security Fabric > Fabric Connectors page, under the Core Network Security section. The FortiClient EMS connector will not be connected until the FortiWeb has been authorized as a Fabric Device in FortiClient EMS.

To authorize the FortiWeb as a Fabric Device in FortiClient EMS:
  1. Log in to FortiClient EMS.
  2. From the FortiClient EMS landing page, the Fabric Device Authorization Requests pop-up displays the Serial Number and IP information of the FortiWeb device. Click Authorize.
  3. Alternatively, you can go to Administration > Fabric Devices and select the Fabric device you want to authorize.
To check and troubleshoot the FortiClient EMS connector connection:
  1. Go to Security Fabric > Fabric Connectors.
  2. Under the Core Network Security section, locate the FortiClient EMS connector configurations.
  3. The and icons indicate whether FortiClient EMS has successfully authorized the FortiWeb Fabric Device for the corresponding FortiClient EMS connector. Hover over the FortiClient EMS connector to see the status details. The table below lists the possible connection statuses for the FortiClient EMS connector.

    Icon

    EMS Status

    Description

    Connected

    The FortiWeb has been successfully authorized as a Fabric Device through FortiClient EMS.

    Cert unauthorized

    (Undefined variable: Deployment Guide.ProductName) does not verify the EMS server's CA certificate. You can edit the FortiClient EMS connector configuration and restart the verification to accept the EMS CA certificate.

    Auth failed

    The EMS server does not authorize the (Undefined variable: Deployment Guide.ProductName), indicating the request is either denied or pending authorization. If pending authorization, the status will change to Connected once authorization is successful on the EMS server.

    Not reachable

    The EMS server was not reachable. Ensure the EMS server IP and system router is properly configured.

    EMS server connection failed

    The EMS server connection failed with unknown issue. For example, an incorrect EMS server port may cause this issue.

    No compatible

    The EMS server connection failed because the server is not compatible with (Undefined variable: Deployment Guide.ProductName).

    Not sent

    The EMS domain name cannot resolve. Ensure proper configuration for the DNS server setting, domain name, and system router.

    If the status is not Connected, edit the FortiClient EMS connector accordingly to troubleshoot the connection issue.

  4. Locate the newly created FortiClient EMS connector, click the FortiClient EMS connector configuration then click Edit, or double click the configuration object to display the configuration editor.
  5. Edit the configuration to troubleshoot the connection issue then click Authorize to restart the verification to accept the EMS CA certificate.
    A request is resent to the FortiClient EMS to authorize the FortiWeb as a Fabric Device in FortiClient EMS. The FortiClient EMS connector will not be connected until the FortiWeb has been authorized as a Fabric Device in FortiClient EMS.

FortiClient EMS for High Availability configurations

In a High Availability group, all the FortiWeb units must be registered to the FortiClient EMS as individual Fabric devices. However, you only need to configure the FortiClient EMS connector on the primary appliance. The configuration will be synchronized to the rest nodes.