Skip to main content
bfig90
bfig90
Explorer
October 29, 2024
Solved

New to FortiEMS

  • October 29, 2024
  • 1 reply
  • 2397 views

Dear all,

 

I'm new to FortiEMS. I have done the fresh installment as a VM using the trial license. 

Our current architecture is: FortiGate + FortiAuthenticator.

 

The user are connecting to VPN (SSL-VPN) using FortiGate + FortiClient and FortiAuthenticator as a MFA.

 

We want also to add FortiEMS as a layer to do a posture check for the device prior of giving them permissions to connect remotely to the company resources. We have users with a company joined AD laptop + BYOD devices.

 

I'm trying to understand:

 

1- Where will the FortiEMS stand in the "big picture" at the architecture level ? Will it replace any of the components ?

2- Do i need to connect FortiEMS with FortiGate ? If yes, will i have any impact since i do not have a test env and FortiGate is directly in production.

3- Do i need anymore the FortiAuthenticator ? 

 

Thank You in advance 

#FortiEMS

 

Best answer by AEK

Hello

 

1- You put FortiClient EMS typically in the DMZ, since it is accessible from outside (HTTPS for client download + telemetry for external clients).

As you may know FortiClient has multiple features (VPN, AV, Vulerability scan, ZTNA and so), and one of the components it may replace on your clients is the anti-malware, if needed.

 

2- You need to connect EMS to FortiGate via fabric connector without any risk and this will have no impact on the production.

 

3- FortiClient EMS will not replace FortiAuthenticator, as EMS doesn't do central authentication, certificate authority, RADIUS, MFA, token management and so. If you are using FAC then you will continue to use it as before.

 

Hope it helps.

1 reply

AEK
SuperUser
AEKAnswer
SuperUser
October 29, 2024

Hello

 

1- You put FortiClient EMS typically in the DMZ, since it is accessible from outside (HTTPS for client download + telemetry for external clients).

As you may know FortiClient has multiple features (VPN, AV, Vulerability scan, ZTNA and so), and one of the components it may replace on your clients is the anti-malware, if needed.

 

2- You need to connect EMS to FortiGate via fabric connector without any risk and this will have no impact on the production.

 

3- FortiClient EMS will not replace FortiAuthenticator, as EMS doesn't do central authentication, certificate authority, RADIUS, MFA, token management and so. If you are using FAC then you will continue to use it as before.

 

Hope it helps.

AEK
    bfig90
    bfig90Author
    Explorer
    October 29, 2024

    Thank You for your response. Having this in mind, the only thing i need to do is to replace the existing FortiClient on user's endpoint with the new one ?

    AEK
    SuperUser
    AEK
    SuperUser
    October 29, 2024

    In case you have "FortiClient VPN" on the clients or an older "FortiClient" version then yes you will need to replace it.

    AEK
      Terms & ConditionsAccessibility statement