FortiClient EMS and Fortigate can not connect on Azure.

Hi,

I would like to create a VPN GW and EMS Server in Cloud.

For preliminary testing, I built it on Azure.

 - Fortigate NGAV on Azure(using marketplace as PAYG License), Firmware. 7.0.1

 - Windows Server 2019 DC installed EMS server on Azure(Ver. 7.0.1)

 - Each VMs ready the WAN and LAN access port.

 - Fortigate and Windows server connect the LAN(L2 connect).

Fortigate can communicate the EMS server using ping. It's OK.

But, Fortigate can not connect authorize for the EMS server. The EMS server's CA was import to Fortigate according to the manual. After the EMS Status not change the "Certificate not authorized" error.

Failed to verify the certificate for server "WINEMS".

Server certificate or configured certificate is not recognized.

"fctems" command result is following.

FGT-A # execute fctems verify WINEMS

Issue in fetching the capabilities: Error (-1@ec_ems_get_capabilities:340).

Command fail. Return code -333

Tried capture the packet on EMS server, Fortigate look like to try the https connection from fortigate to EMS server.

I also have an on-premise fortigate, so I tried to connect to the EMS server on cloud and it worked. Also, EMS server no problem.

After few days of worrying, I watched the video below.

https://www.youtube.com/watch?v=ud08X_rbrh4

He said, Fortigate can not import the CA for "invalid activate" license status. My Fortigate on Azure is activated for the PAYG license and can import the EMS's CA. I thought maybe it was restricted by the license.

Could it be that the PAYG license does not support EMS connection?

Do I need a BYOL license to connect to an EMS server with Fortigate in Azure?

Thanks,