Skip to main content
bfig90
bfig90
Explorer
October 29, 2024
Solved

Connect FortiClient EMS to FortiGate

  • October 29, 2024
  • 3 replies
  • 3123 views

Dear all,

I'm following the guide in order to setup for the first time the FortiClient EMS with my existing architecture ( FortiGate + FortiAuth). 

 

In the docs (https://docs.fortinet.com/document/fortigate/7.2.5/ztna-deployment/374384/connect-the-fortigate-to-ems) is telling that:

 

1- I need to generate a cert. By i do have already EMS Server Certificates (FortiCare). Do i need to generate again using a third party such as godaddy since i do not have an CA ? Or this are the defaults one ?

 

2- How i can publish in the DMZ the FortiEMS ? 


Thank You in advance

#FortiClientEMS

 

Best answer by AEK

It seems there is no such feature on the GUI.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Request-an-SSL-digital-certificate-from-a-public/ta-p/328968

So either do it via CLI or upload certificate + private key.

3 replies

AEK
SuperUser
AEK
SuperUser
October 29, 2024

Hello

 

Don't worry about the certificate, connect them as is and they will use Fortinet embedded certificate and it will work fine.

 

Regarding how to publish EMS, you need to create 2 VIP object, one for HTTPS 10443, and one for telemetry 8013, then create 2 firewall rules to authorize the related traffic from outside for the mentioned ports.

In case you are not used to create VIPs, here is how to proceed:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

 

AEK
    bfig90
    bfig90Author
    Explorer
    October 30, 2024

    So, i would not need to import the root CA of FortiEMS to FortiGate ? What about user endpoints ? Do i need some kind of cert for them also ? Thank You 

    AEK
    SuperUser
    AEK
    SuperUser
    October 30, 2024

    You need to upload a certificate signed by your certificate authority (trusted by your clients) to EMS, and set it as certificate for the web server and endpoint control (EMS Settings).

    AEK
      bfig90
      bfig90Author
      Explorer
      October 31, 2024

      Can i use a certificate from a Third party such as: GoDaddy etc ? If yes, what type of cert should i use ? 

      AEK
      SuperUser
      AEK
      SuperUser
      October 31, 2024

      Yes you can use a public certificate.

      It can be DV single domain name or wildcard.

      AEK
      Terms & ConditionsAccessibility statement