FCP_FCT_AD-7.2 FortiClient EMS setup

FortiClient EMS Setup Detailed Explanation

FortiClient EMS (Endpoint Management Server) is the central management platform for endpoint security, allowing administrators to enforce security policies, monitor devices, and respond to threats effectively.

1. Installation and Initial Configuration

1.1 System Requirements

To ensure EMS operates smoothly, you need to meet specific hardware, software, and network requirements.

Hardware Requirements

• Minimum Requirements (For Small Deployments or Testing):

  • RAM: At least 8 GB (to handle small-scale operations and light workloads).
  • CPU: Quad-core processor (4 cores) for basic processing needs.
  • Storage: At least 100 GB of available disk space (sufficient for storing basic logs and configurations).

• Recommended Requirements (For Production or Larger Deployments):

  • RAM: 16 GB or more (to ensure smooth operations even under heavy workloads).
  • Storage: A solid-state drive (SSD) with 500 GB or more of storage (for faster read/write speeds and reliable performance).

Operating System Requirements

• Supported Operating Systems:
  • Windows Server 2016, 2019, or newer.
• Ensure the server has .NET Framework 4.7.2 or higher installed, as it's essential for running the EMS software.

Network Requirements

• Internet Access: Required for:
  • Downloading EMS updates and security patches.
  • Activating licenses.
  • Synchronizing with Fortinet threat intelligence services.
• Static IP Address: Assign a fixed IP address to the EMS server to ensure uninterrupted connectivity with endpoints.

1.2 Installation Process

Step 1: Download the EMS Installer

1. Visit the Fortinet website and log in with your credentials.
2. Navigate to the downloads section and search for the latest version of the FortiClient EMS installer.
3. Choose the appropriate version for your server’s operating system and download it.

Step 2: Run the Installer

1. Open the downloaded installer file with administrator privileges.
   • Right-click the file and select Run as Administrator.
2. Follow the on-screen prompts.

Step 3: Select Installation Options

1. Database Configuration:
   • You can choose:
     • The built-in database (recommended for smaller deployments).
     • An external SQL Server database (better for scalability and integration with existing systems).
2. Installation Path:
   • Specify the directory where EMS will be installed. The default is typically C:\Program Files\Fortinet\EMS.

Step 4: Accept the License Agreement

1. Carefully read the license terms.
2. Accept the agreement and proceed with the installation.

Step 5: Configure Initial Access Details

1. During the installation process, you’ll be prompted to set up:
   • Admin Username: Create a secure username for accessing the EMS management interface.
   • Admin Password: Choose a strong password (mix of uppercase, lowercase, numbers, and symbols).
2. Finish the installation process and let the server restart if required.

1.3 Post-Installation Steps

Step 1: Access the EMS Management Interface

1. Open a browser on a computer that can access the EMS server.
2. Navigate to the EMS management interface using the format:
   • https://<server_IP>:<port>
   • The default port is typically 443.

Step 2: Log In

1. Enter the admin username and password you created during the installation.
2. Click Log In to access the EMS dashboard.

Step 3: Configure Initial Settings

1. Set Up Time Zone and Localization:
   • Go to the settings menu and choose your region's time zone.
   • Select the desired language for the interface.
2. Configure Default Policies (optional at this stage):
   • Review the preloaded policies for endpoint protection, web filtering, and antivirus settings.

Step 4: Backup the Configuration

1. Navigate to the Backup and Restore section.
2. Create and save a backup of the initial configuration. This step is crucial in case the system needs to be restored later.

2. Network and Device Configuration

Once the EMS is installed and initialized, the next step is to configure its network and device-related settings.

2.1 Network Access and TLS Certificate

Secure Access via HTTPS

1. To secure communication between EMS and endpoints, you must configure a TLS (Transport Layer Security) certificate.
2. You have two options:
   • Use a self-signed certificate (sufficient for testing or internal environments).
   • Obtain a certificate from a trusted Certificate Authority (CA) for production environments.

Configure Ports

1. Default EMS Port: The EMS web interface typically uses port 443 for HTTPS.
2. Communication Ports for Endpoints:
   • These can be customized during the EMS setup to fit your network policies.

2.2 Device Groups and Hierarchy

Organizing Devices

1. By Location:
   • Group devices by their physical or network locations, such as:
     • Branch Offices: Devices at different company branches.
     • Data Centers: Critical servers or protected devices.
2. By Roles:
   • Examples:
     • Administrative: Devices used by managers or HR staff.
     • Technical: IT support devices or developer systems.
3. By Operating System:
   • Group devices based on their OS for easier policy management:
     • Windows, macOS, Android, iOS.

Creating Dynamic Groups

1. Use tags or policies to automatically assign devices to groups.
2. Dynamic groups enable:
   • Real-time assignment.
   • Easier management of devices that frequently change roles or locations.

2.3 License Activation

Activate Your EMS License

1. Log in to your Fortinet account and retrieve your EMS license key.
2. Navigate to the Licensing section in the EMS dashboard.
3. Enter the license key to activate all features.

Assign Licenses to Endpoints

1. Allocate licenses based on the endpoint usage:
   • Full Protection: Antivirus, web filtering, and application control.
   • VPN Only: Devices requiring secure remote access.

3. Feature Configuration

EMS includes various features that can be customized to enhance endpoint protection, enforce security policies, and streamline management.

3.1 Dashboard Customization

The EMS dashboard provides an overview of your managed endpoints and system health.

Setting Up Widgets

1. Log in to the EMS management interface and navigate to the dashboard.
2. Add or customize widgets to monitor:
   • Device Health:
     • Displays the overall status of endpoints (e.g., compliant, non-compliant, or disconnected).
   • Policy Compliance:
     • Highlights devices adhering to or violating security policies.
   • Threat Detections:
     • Lists threats detected across endpoints, including malware, vulnerabilities, and exploits.

Customizing Views

1. Use filters to display data relevant to specific devices or groups:
   • Example: Show only devices in a particular branch office or with a specific role.
2. Save custom views for quick access to frequently monitored metrics.

3.2 Policy Configuration

Policies define how endpoints are protected and managed. EMS includes default templates and allows you to create custom policies.

Using Default Templates

1. Predefined policies in EMS cover common use cases, such as:
   • Endpoint Protection: Antivirus, firewall, and vulnerability scanning.
   • Remote Work: Configurations for VPN access and secure file sharing.
   • BYOD (Bring Your Own Device): Lightweight security policies for personal devices.

Customizing Policies

1. Create New Policies:
   • Navigate to the Policy Configuration section.
   • Select "Create Policy" and specify a name and description.
2. Add Specific Configurations:
   • Antivirus: Define scan schedules, quarantine actions, and exclusions.
   • VPN: Configure secure connections for remote employees.
   • Application Control: Restrict or allow specific applications.
   • Web Filtering: Block or allow categories of websites (e.g., social media, gambling).
3. Save and Apply Policies:
   • Assign policies to specific device groups or tags.

Policy Enforcement Options

1. Block non-compliant devices from accessing the network.
2. Send alerts to administrators for manual remediation.

3.3 LDAP Integration

Integrating EMS with an LDAP server (e.g., Active Directory) simplifies device and user management.

Steps to Configure LDAP Integration

1. Set Up the LDAP Connection:
   • Go to the Settings menu in EMS.
   • Select LDAP/AD Integration and click "Add Server."
   • Enter the server details:
     • Server Address: IP address or hostname of the LDAP server.
     • Port: Default is 389 for non-encrypted or 636 for SSL/TLS.
     • Base DN: The starting point in the directory tree (e.g., dc=company,dc=com).
     • Bind Credentials: Username and password with permissions to query the directory.
2. Test the Connection:
   • Use the "Test Connection" button to verify the setup.
   • Troubleshoot any errors related to network access or credentials.
3. Synchronize User Groups:
   • Import user groups and organizational units (OUs) from LDAP.
   • Assign policies dynamically based on group membership.

Benefits of LDAP Integration

1. Automatically apply policies to new users or devices based on their group or role.
2. Simplify the management of large user bases.

4. Monitoring and Maintenance

Regular monitoring and maintenance ensure EMS operates efficiently and remains secure against emerging threats.

4.1 Logging and Reporting

Logs and reports provide visibility into system activity, device status, and security events.

Enabling Detailed Logs

1. Go to the System Settings in EMS.
2. Enable detailed logs for:
   • Administrative Changes:
     • Tracks who made changes to the EMS configuration.
   • Device Events:
     • Records endpoint activity, such as new connections or policy violations.

Setting Up Automated Reports

1. Navigate to the Reports section in EMS.
2. Schedule recurring reports for:
   • Daily/Weekly Endpoint Compliance Summaries:
     • Displays the compliance status of all devices.
   • Threat Detection Reports:
     • Highlights malware detected, vulnerabilities found, and actions taken.
3. Export reports in formats such as PDF or CSV for sharing with stakeholders.

4.2 EMS Updates

Keeping EMS updated is critical for accessing the latest features and security fixes.

Scheduling Updates

1. Check for updates in the System Maintenance section.
2. Configure EMS to automatically download and apply updates during non-business hours.

Backup Before Updates

1. Create a backup of the current EMS configuration:
   • Go to Backup and Restore in the settings menu.
   • Save the backup file to a secure location.
2. This ensures you can quickly revert to a stable version if the update encounters issues.

4.3 System Performance Optimization

Regular Maintenance Tasks

1. Clear Old Logs:
   • Set retention policies to automatically delete logs older than a specific time frame.
   • Reduces storage usage and improves performance.
2. Monitor Resource Usage:
   • Use the EMS dashboard to track CPU, RAM, and disk utilization.
   • Upgrade hardware if resource usage consistently exceeds 80%.

Enhancing Endpoint Connectivity

1. Ensure endpoints have reliable network access to EMS.
2. Use load balancers or redundant EMS servers for high-availability setups.

FortiClient EMS Setup (Additional Content)

In this section, we will go through a detailed explanation of FortiClient Endpoint Management Server (EMS) Setup, focusing on its architecture, installation, and initial configuration.

1.1 FortiClient EMS Architecture

What is FortiClient EMS?

FortiClient EMS (Endpoint Management Server) is a centralized system designed to manage and secure endpoint devices (computers, mobile devices, and servers). It works with FortiClient agents, which are installed on endpoint devices, to enforce security policies, check compliance, and manage security incidents.

Imagine you are an IT administrator managing thousands of computers across different offices. You need a system to:

• Ensure all devices follow security policies
• Update security rules automatically
• Detect security threats and respond quickly
• Control remote devices efficiently

FortiClient EMS is the solution that helps you manage all these tasks from a single console.

Core Components of FortiClient EMS

Understanding the core components of FortiClient EMS is crucial because each part plays a specific role in securing and managing endpoint devices. Let’s go through them one by one.

1. FortiClient Agent

• The FortiClient Agent is a software installed on endpoint devices (laptops, desktops, servers).
• It communicates with EMS and follows the security policies assigned by EMS.
• The agent ensures compliance by checking for security updates, antivirus scans, and vulnerability management.
• If a device does not meet security requirements, EMS can block network access or take other actions.

2. FortiClient EMS Server

• The EMS Server is the centralized management system that controls all the FortiClient Agents.
• It allows administrators to:
  • Create and enforce security policies (e.g., antivirus protection, web filtering).
  • Monitor endpoint security status (e.g., which devices are vulnerable).
  • Respond to security incidents (e.g., isolate infected devices).
• The EMS server provides a web-based dashboard where admins can configure settings.

3. Database

• The database stores:
  • Configuration settings (security policies, admin preferences).
  • Device information (which devices are connected, their compliance status).
  • Logs and reports (security incidents, user actions).
• The database can be built-in (SQL Express) or an external Microsoft SQL Server.

4. Fortinet Security Fabric Integration

• FortiClient EMS does not work alone—it integrates with Fortinet Security Fabric, which includes:
  • FortiGate (Firewall) – Ensures that only compliant endpoints can access the network.
  • FortiAnalyzer – Collects logs from EMS and provides security insights.
  • FortiSIEM – Monitors security threats across the entire organization.

How Do These Components Work Together?

Now that you know the components, let’s look at how they communicate in a real-world scenario.

Communication Flow Between Components

1. Endpoint Registration

• When a new device installs FortiClient, it registers itself with the EMS server.
• The EMS server records the device details in its database.

2. Policy Deployment

• The EMS server pushes security policies to FortiClient agents.
• For example, if a company requires all devices to have antivirus enabled, EMS will enforce that.

3. Log Collection

• FortiClient agents send security logs (threat detections, compliance reports) to EMS.
• EMS stores these logs in the database for analysis.

4. Threat Response

• If a security threat is detected (e.g., malware infection), EMS can:
  • Notify administrators through logs.
  • Automatically isolate the device (block network access).
  • Send logs to FortiAnalyzer for detailed analysis.

1.2 FortiClient EMS Installation

Now that we understand the architecture, let’s move on to how to install FortiClient EMS.

Pre-Installation Checklist

Before installing EMS, ensure that your server meets the following requirements:

System Requirements

Component	Minimum Requirement	Recommended
Operating System	Windows Server 2016/2019/2022	Windows Server 2022
RAM	8GB	16GB or higher
Disk Space	100GB	200GB or higher
CPU	Intel Xeon or equivalent	Multi-core processor
Network Ports	8013 (Web UI), 10443 (Client Communication), 1433 (Database)	-

Installation Steps

Step 1: Download EMS Installer

• Go to Fortinet’s official website and download the latest version of FortiClient EMS.
• Choose the correct version based on your operating system.

Step 2: Run the Setup Wizard

• Start the installation by launching the EMS setup file.
• Choose whether to use:
  • Built-in SQL Express (default option for small environments).
  • External SQL Server (recommended for large-scale deployments).

Step 3: Configure Administrator Credentials

• Set up the admin username and password for the EMS console.

Step 4: Complete Installation

• Once the setup is complete, the system will automatically start EMS services.

Step 5: Launch the EMS Web Console

• Open a web browser and access https://:8013.
• Log in using the admin credentials created earlier.

1.3 FortiClient EMS Initial Configuration

After installing EMS, you need to configure it to manage endpoint devices effectively.

Step 1: Create Domains

• FortiClient EMS supports multiple domains to organize endpoint devices.
• You can create domains for different departments, locations, or security levels.

Step 2: Configure User Access

• Define user roles to control who can manage EMS.
  • Super Administrator – Full access to all EMS features.
  • Help Desk Admin – Limited access (only monitoring and troubleshooting).
  • Read-Only User – Can view information but cannot make changes.

Step 3: Configure Endpoint Registration

• Enable automatic endpoint discovery so new devices can register with EMS.
• Define endpoint groups based on:
  • Device type (Windows, macOS, Linux).
  • Location (HQ, remote office).
  • Security level (High-risk, Low-risk).

Step 4: Enable Remote Management

• Allow endpoints to connect to EMS from different networks.
• Integrate EMS with FortiGate Firewall to:
  • Enforce endpoint compliance (only allow secure devices to access the network).
  • Block compromised devices from connecting.

1.4 Advanced EMS Deployment Considerations

While a standard FortiClient EMS installation is enough for small to medium-sized networks, larger enterprises require a more scalable and redundant architecture.

1.4.1 High Availability (HA) Deployment

For businesses that need continuous endpoint management, FortiClient EMS can be set up in an HA (High Availability) configuration to avoid service disruptions.

Types of EMS HA Configurations

• Active-Passive: One EMS server is active, while the other remains in standby mode. If the active EMS fails, the standby takes over.
• Active-Active (Load Balancing): Multiple EMS servers handle traffic concurrently, distributing the load.

HA Setup Considerations

• Shared Database: Both EMS servers must connect to the same external SQL Server database.
• Automatic Failover: The EMS failover mechanism detects failures and automatically switches to the backup EMS server.
• Network Load Balancer: A load balancer (FortiADC, for example) can distribute endpoint connections among multiple EMS servers.

1.4.2 Using External Databases for Scalability

By default, EMS uses SQL Express, which is suitable for small environments. However, large-scale deployments should use a dedicated Microsoft SQL Server.

Advantages of Using External SQL Server

• Better Performance: Handles more concurrent endpoint connections.
• Larger Database Storage: No 10GB database limit (SQL Express has this restriction).
• Backup and Disaster Recovery: Easier to manage scheduled backups and data redundancy.

Best Practices for External SQL Integration

• Install SQL Server 2019 or newer for optimal performance.
• Use separate disks for logs and database files to prevent I/O bottlenecks.
• Enable database mirroring or Always On Availability Groups (AG) for high availability.

1.4.3 FortiClient EMS Multi-Tenancy

Large enterprises or managed service providers (MSPs) may need to manage multiple customer networks or separate business units using a single EMS instance.

EMS Multi-Tenancy Features

• Domains: Allows admins to separate devices by business units, customers, or locations.
• Role-Based Access Control (RBAC): Administrators can manage specific domains without accessing others.
• Policy Segmentation: Each domain can have custom security policies, compliance rules, and reporting settings.

Use Case Example

A managed security provider can use one FortiClient EMS instance to manage multiple customer networks, ensuring isolation and policy customization for each.

1.5 Advanced Security Configuration

FortiClient EMS enhances endpoint security, but proper configuration is crucial to prevent misconfigurations or security gaps. Below are some advanced security practices.

1.5.1 Secure EMS Administration

Since EMS is a critical security component, administrator access must be tightly controlled.

Security Best Practices

• Use Multi-Factor Authentication (MFA): Requires an additional verification step when logging into EMS.
• Enable Role-Based Access Control (RBAC): Ensure that users only have the permissions necessary for their role.
• Restrict Public Access: EMS should only be accessible from trusted networks.
• Audit Administrator Activity: Enable logging of all admin actions for security reviews.

1.5.2 Endpoint Compliance Enforcement

EMS can enforce security policies to ensure endpoints meet company security requirements.

Compliance Enforcement Features

• Security Posture Score: EMS evaluates each endpoint's compliance level.
• Automatic Remediation: If a device is non-compliant, EMS can:
  • Force antivirus updates.
  • Block access to corporate networks.
  • Require full disk encryption before allowing network access.

Example Compliance Policy

Security Requirement	Action if Non-Compliant
Antivirus must be up-to-date	Force update
Firewall must be enabled	Enable automatically
VPN required for remote work	Block access until VPN is active

1.5.3 Integrating EMS with FortiGate for Network Access Control

One of the most powerful features of FortiClient EMS is its ability to integrate with FortiGate firewalls.

Key Benefits of EMS-FortiGate Integration

• Automated Endpoint Isolation: If a device is compromised, FortiGate can automatically block network access.
• Security Fabric Enforcement: FortiGate can enforce ZTNA (Zero Trust Network Access) rules for endpoints.
• Granular Access Control: Users with high-risk endpoints can be restricted from accessing sensitive systems.

How to Integrate EMS with FortiGate

1. Enable Endpoint Control on FortiGate.
2. Configure EMS Connection in FortiGate.
3. Define Compliance Policies (e.g., devices must have antivirus enabled).
4. Monitor Endpoint Security Status in FortiGate Security Fabric Dashboard.

1.6 EMS Performance Optimization

For large deployments, it’s important to optimize EMS performance to handle thousands of endpoints efficiently.

1.6.1 Optimizing EMS Server Performance

• Increase CPU & RAM Resources: Add more resources if EMS is managing 5,000+ endpoints.
• Use SSDs for Storage: Improves database and log processing speed.
• Limit Log Retention Period: Reduces database storage overhead.
• Distribute Load Across Multiple EMS Instances: Use Active-Active deployment for scalability.

1.6.2 Optimizing Network Traffic

Since EMS communicates frequently with endpoints, optimizing network traffic ensures smooth operation.

• Use FortiClient Cloud Proxy: Reduces bandwidth usage by offloading updates to the cloud.
• Adjust Policy Sync Intervals: Set longer sync intervals for non-critical policy updates.
• Enable Log Compression: Reduces the size of transmitted log data.