Technical Tip: FortiClient EMS Migration
Description
This article describes the steps necessary to migrate a FortiClient EMS Server to a new server based on 3 scenarios.
Scope
FortiClient EMS.
Solution
- A new FortiClient EMS will have the same IP address as the existing FortiClient EMS.
- A new FortiClient EMS will have a different IP address than the existing FortiClient EMS:
- Using an IP address for registration.
- Using FQDN for registration.
- The current FortiClient EMS is not accessible:
- Using an IP address for registration.
- Using FQDN for registration.
Same IP address:
- Create a backup of the FortiClient EMS database. This will create a .ENC file which can only be restored to a FortiClient EMS of the same version. For example: a backup from a v1.2.5 FortiClient EMS can only be restored to another v1.2.5 FortiClient EMS.
- Install the same version of FortiClient EMS on a new server and apply the license. See 'Licensing FortiClient EMS' in the FortiClient EMS admin guide.
Note: It will be necessary to call customer service (1-866-648-4638) to have the license file updated to reflect the new Hardware ID of the server. The hardware ID can be found under Administration -> Upgrade License. When logged into the support site, it will be necessary to log out and back in after the license is updated. - Restore the database backup.
- Cut over so the old FortiClient EMS is no longer reachable, and the new one is.
- Clients will register to the new FortiClient EMS transparently.
Different IP address:
Using an IP address for FortiClient registration:
- The existing FortiClient EMS is on IP x.x.x.x.
- Create a backup of the FortiClient EMS database. This will create a .ENC file which can only be restored to a FortiClient EMS of the same version. Meaning, a backup from a v1.2.5 FortiClient EMS can only be restored to another v1.2.5 FortiClient EMS.
- Install the same version of FortiClient EMS on a new server with IP address y.y.y.y and apply the license. See 'Licensing FortiClient EMS' in the FortiClient EMS admin guide.
Note: It is necessary to call customer service (1-866-648-4638) to have a license file updated to reflect the new Hardware ID of the server. The hardware ID can be found under Administration -> Upgrade License. When logged into the support site, it is necessary to log out and back in after the license is updated. - Restore the database backup.
- Update the 'Listen on IP' and FortiClient download URL settings.
- Create a Gateway List on the old server with y.y.y.y specified in 'IP addresses/Hostnames'.
- Apply this gateway list to any endpoints intended for migration.
Using FQDN for FortiClient registration:
Note: To use FQDN for FortiClient connections, please review 'Configuring Server settings' section of the FortiClient EMS admin guide.
- The Existing FortiClient EMS is on IP address x.x.x.x, using FQDN 'EMS.domain.com'.
- Create a backup of the FortiClient EMS database. This will create a .ENC file which can only be restored to a FortiClient EMS of the same version. For example: a backup from a v1.2.5 FortiClient EMS can only be restored to another v1.2.5 FortiClient EMS.
- Install the same version of FortiClient EMS on a new server with IP address y.y.y.y and apply the license. See 'Licensing FortiClient EMS' in the FortiClient EMS admin guide.
Note: It will be necessary to call customer service (1-866-648-4638) to have the license file updated to reflect the new Hardware ID of the server. The hardware ID can be found under Administration -> Upgrade License. When logged into the support site, it will be necessary to log out and back in after the license is updated. - Restore the database backup.
- Update the 'Listen on IP' and FortiClient download URL settings.
- Update the DNS record so EMS.domain.com now resolves to y.y.y.y.
The current FortiClient EMS is not accessible:
In some cases, FortiClient EMS will no longer be accessible. For example, in cases where the password is lost or the server has crashed and is not recoverable.
Using an IP address for FortiClient registration:
- The existing FortiClient EMS is on IP address x.x.x.x.
- Install FortiClient EMS on IP address y.y.y.y and apply the license. See 'Licensing FortiClient EMS' in the FortiClient EMS admin guide.
Note: It will be necessary to call customer service (1-866-648-4638) to have the license file updated to reflect the new Hardware ID of the server. The hardware ID can be found under Administration -> Upgrade License. When logged into the support site, it will be necessary to log out and back in after the license is updated. - Create any profiles to assign to endpoints after migrating.
- Import the domain (if applicable) and assign profiles to groups/OUs as appropriate.
- Redirect the registration/keep-alive traffic to the new IP address. If the endpoint traffic uses a FortiGate to route to the FortiClient EMS, use a VIP as follows:
- Create a Gateway List which has the FortiClient EMS' IP address specified in 'IP addresses/Hostnames'.
- When the endpoints sync this Gateway List, they will begin to communicate directly with y.y.y.y. The VIP can be deleted at this stage.
Using an IP address for FortiClient registration:
Note: To use FQDN for FortiClient connections, see the 'Configuring EMS settings' section of the FortiClient EMS admin guide
- The Existing FortiClient EMS is on the IP x.x.x.x.
- Install FortiClient EMS on IP address y.y.y.y and apply the license. See 'Licensing FortiClient EMS' in the FortiClient EMS admin guide.
Note: It will be necessary to call customer service (1-866-648-4638) to have the license file updated to reflect the new Hardware ID of the server. The hardware ID can be found under Administration -> Upgrade License. When logged into the support site, it will be necessary to log out and back in after the license is updated. - Create any profiles to have assigned to endpoints after migrating.
- Import a domain (if applicable) and assign profiles as appropriate.
- Update the DNS record so it now resolves to y.y.y.y.
Notes:
Fortinet Migration process for Linux or after VM changing the server location:
Related article: