Question
FortiClient upgrade best practices – EMS closed to internet vs ManageEngine deployment issues
Hello everyone,
We are managing around 500-600 FortiClient endpoints and need to upgrade clients quickly whenever vulnerabilities are announced.
Current setup:
- FortiClient EMS (on-prem)
- Due to security concerns, our Infosec team keeps EMS completely closed to the internet
- Because of this, we are forced to perform FortiClient upgrades using ManageEngine Endpoint Central
From the infrastructure side, there is no clear technical explanation why EMS must remain closed, but we have to follow this decision.
Issues with ManageEngine upgrades:
- Deployments often fail or stop midway
- Installer crashes during upgrade
- Upgrade completes but:
- FortiClient opens with a blank or white screen
- Application does not start
- Users are asked for an admin password
- VPN stops working
Endpoints are EMS-connected and we perform in-place upgrades, yet problems persist.
Questions:
- How do large enterprise environments usually handle FortiClient upgrades?
- Is it common to keep EMS securely internet-facing for telemetry and upgrades?
- Are these kinds of issues with third-party tools (ManageEngine, SCCM, etc.) known?
- If EMS must stay closed, how do you ensure a stable upgrade process?
We would appreciate hearing how others are handling this in real-world environments.
Thank you.