Explorer

Question

Forticlient EMS geo-redundant design

Forum|Forum|4 months ago
February 7, 2026
3 replies
346 views

Hi,

I'm officially losing after days of research and studies. The guide doesn't seem clear to me (or maybe I'm stupid enough to not get it).

I'm designing 2 DCs following Fortinet's recommended design, the 1st has 2 EMS nodes, 2DBs and 1 witness. The other DC has 1 DB and 1 witness.

what I learned so far: I need kind of load balancers, at the outside level (for requests coming from the outside) point on 2 different VIPs (DC1 and DC2), VIP of DC1 is pointing as well on both EMS servers there, DC 2 has only a single node but i'll use a VIP there as well for design purposes.

in the inside, each fortigate (of each DC) has a VIP that includes its respective EMS nodes (LAN side)
For local DNS, i'll need a load balancer here as well, so I can track the active EMS across both DCs (single FQDN, 2 IPs = 2 VIPs defined in the Fortigates; 1st VIP has both EMS nodes of DC1, and VIP of DC2 has EMS IP of DC2.
is this understanding correct? do I still need the custom hostname though (i don't see how to use it in this design)

I hope to get reactions, thanks to everyone

Jean-Philippe_P

Staff & Editor

Hello Flamby_01,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Jean-Philippe - Fortinet Community Team

Flamby_01Author

Explorer

Hi sir,

is there any update please? I really need to understand the design so I can go forward and give the appropriate solution

thank you very much in advance

Stephen_G

Moderator

Hi Flamby,

I'm sorry this has taken so long. I'm following up with more people today to see if we can get you an answer. I should have some tips for you later if nothing else.

Stephen_G - Fortinet Community Team

Stephen_G

Moderator

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Regards,

Stephen_G - Fortinet Community Team

Stephen_G

Moderator

Hi again Flamby_01,

So as far as I have heard: you're on the right lines!

You will need a load balancer to manage DNS requests. This load balancer will help track the active EMS across both DCs. You can use a single FQDN that resolves to two IPs (the VIPs of DC1 and DC2). This setup allows for failover and load balancing between the two data centers.

The custom hostname is typically used to define a virtual IP address (VIP) that is configured in the FortiGate load balancer as the VIP for EMS. In your design, if you are using VIPs for both external and internal traffic, the custom hostname might not be necessary unless you have specific requirements for it.

Additionally:

Ensure that the witness node is correctly configured to monitor the EMS nodes and facilitate failover.
Make sure the database nodes are set up for HA and are synchronized across the data centers.

Otherwise, I believe your design is robust.

Please let me know if this helps.

Stephen_G - Fortinet Community Team

Flamby_01Author

Explorer

Thank you for your reply,

if you don't mind, a last question, can EMS, in this design, be deployed inside of a Docker container, as this was mentioned only in standalone design, However, postgreSQL could be Dockerized as stated explicitly in the HA guide. I just want to make sure that I can use different EMS nodes, each in its own VM/Docker contaier

Stephen_G

Moderator

Hi again Flamby_01,

I received the following answer:

Certainly! In your design, you can deploy EMS inside Docker containers. The context provided indicates that EMS can be deployed using Docker Compose, which allows you to run EMS in a containerized environment. This setup is not limited to standalone designs; it can also be applied in high availability (HA) configurations.

Stephen_G - Fortinet Community Team

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded