Visitor III

Solved

How do I associate an Endpoint Policy with a group of users?

Forum|Forum|10 months ago
August 1, 2025
4 replies
2032 views

I am using forticlient.forticloud.com/ems Version 7.4.3 build1926. I have deployed FortiClient 7.4.3.1790 to my endpoints.

I haven't found a way to access my on site DC.

FortiClient EMS

Best answer by sharmar

Hello @KevinYYC

Then you can sync the local AD with EMS, using AD connector as proxy to your domain

Thanks

jiahoong112

Staff

You will need to create an sslvpn or dialup ipsec profile on your FortiGate and then configure the vpn information in your FortiClient EMS Endpoint Profiles: https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/559546/ssl-vpn-full-tunnel-for-remote-user
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-dialup-VPN-using-ikev2-with/ta-p/191367

https://docs.fortinet.com/document/forticlient/7.4.3/administration-guide/247767/configuring-and-applying-a-remote-access-profile

KevinYYCAuthor

Visitor III

After rereading my OP I can see there may be different ways to interpret my question.

My DC and endpoints are both on the LAN. The endpoints have access to the DC.

FortiClient EMS Cloud needs access to my DC. This is what I am trying to accomplish.

sharmar

Staff & Editor

Hello @KevinYYC

You can sync your local AD with the EMS, so that you can apply the dynamic policy from the EMS, based on security group, OU or username etc. In the EMS cloud case, sync the domain through AD connector would be the best approach.

Please read this for more details: https://docs.fortinet.com/document/forticlient/7.4.3/ems-administration-guide/787816/ad-connector

Thanks

KevinYYCAuthor

Visitor III

I am using FortiClient EMS Cloud.

sharmarAnswer

Staff & Editor

Hello @KevinYYC

Then you can sync the local AD with EMS, using AD connector as proxy to your domain

Thanks

KevinYYCAuthor

Visitor III

Hello @sharmar

Thank you for your response.

This is a new deployment for a small business. There are only about 40 endpoints.

I went with the FortiClient EMS Cloud solution so I could avoid cost and maintenance of additional VMs. The AD connector was not part of deployment plan.

Initially I was given to believe that FortiClient EMS Cloud could be configured to access a local AD then was told that that capability had been removed.

Given the few endpoints and even fewer users it will be difficult to justify the deployment of an AD connector.

Given that, at this time, I only need three users in a group, is there any other way (manual?) to do this?

funkylicious

SuperUser

you could try and do a port forward for LDAP on the FGT onprem for AD, but this would expose the AD to Internet traffic unless you know the source IP of EMS Cloud instance.

haven't got the chance to work with the cloud version of it, but if it allows you to define a IP/port it should do it.

"jack of all trades, master of none"

koletmo8

New Member

You can't associate an NSG directly with the Private Endpoint NIC. The best way to achieve what you want is to apply the NSG at the subnet level and then have the rule you need in the subnet level NSG referencing the specific IP for your Private Endpoint.

KevinYYCAuthor

Visitor III

@koletmo8
Thank you for that suggestion. We are not using Azure.

While I'm happy to evaluate any suggestions provided, I suspect my only option is to do as @sharmar suggests. I will accept his solution but doubt I will be able to implement it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded