Technical Tip: How to avoid the FortiClient deployment error via EMS

Step-by-step instructions:

EMS Config:

• Delete the current FortiClient Installer & Scheduled deployment.
• Re-create a new FortiClient installer with all desired settings - Do not schedule deployment at this moment.
• Disable EMS local firewall. If EMS is sitting behind a firewall, set up firewall policies to allow SMB and RPC traffic (445 and 135).
• EMS also needs access to the LDAP server (389 or 636 if LDAPS).
• Enable network discovery.
• In EMS -> System setting -> Ems settings -> Enable TLS v1.0 and v1.1 for file downloads. All other SSL services will continue to use TLS v1.2 or higher.

AD Config:

Configure and push the following group policy (this will prevent having to do it manually on each end-user device and configure correct Windows Firewall profiles):

Preparing the AD server for deployment

FortiClient/Endpoint user config:

• If not already set in the GPO above, set the following services:
  
  

* Remote Registry - Automatic
* Task Scheduler - Automatic
* Windows Installer - Manual
* Remote Procedure Call - RPC (Locator) - Automatic

• Enable Network discovery.
• Disable local firewall (better for testing purposes) - or allow File and Printer Sharing (SMB-In) and Remote Scheduled Tasks Management (RPC).

Tests:

• Check that EMS can access, create, and copy the file in \\<endpoint>\C$\Windows\Temp directory. Use only hostname as EMS will only resolve using hostname.
• Check that EMS can access and create and copy the file in \\<endpoint>\C$.
• Check if EMS can open the remote registry and run the 'regedit' on the EMS server -> File -> connect to network registry.
• Verify that the endpoint can open and download the packages from the FortiClient Installer URL.

Once all of this is verified, create a new deployment (EMS -> Deployment & Installers -> Manage Deployments).
Verify on the endpoint panel that the deployment has been pushed to the endpoint, and wait for a couple of minutes.