Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
avenditti
Staff
Staff

Created on ‎05-15-2025 04:15 AM

Article Id 384764

Technical Tip: Installation of FortiClient EMS 7.2.x for Windows using a remote database and configuring folder permissions (VMs NOT joined to a Windows domain)

Description This article describes how to install FortiClient EMS (version 7.2 for Microsoft Windows) on a VM using a database located on a separate VM (VMs not joined to the Windows domain), and how to configure shared folder permissions to allow FortiClient EMS to perform backups.
Scope
  • FortiClient EMS 7.2.8 installed on Windows Server
  • SQL Server installed on Windows Server
  • DNS Server (or hosts files able to resolve the hostname)

   (FortiClient EMS)  

      + C:\SharedDir\Backup           (SQL Server Express)

  [  WS2019EMS VM  ]                   [   WS2019EXPDB  ]

              +                                               +

              |  10.5.62.117                             | 10.5.62.118

  +-------+-------------------------------------+----+  

                               (10.5.48.0/20) 

 

Note, this installation uses:

  • Microsoft SQL Server 2017 Express version
  • Windows Server 2019
  • the Windows Administrator 'EMSAdmin', defined on both the Windows VMs

The same concepts can be respectively extended to different SQL editions, Windows versions, and the default Windows admin 'Administrator'. 
Solution

On the database VM:

 

Install the SQL Server (this use case uses SQL Server listening on the standard port TCP/4444).

 

Go to Secure Server Configuration Manager, enable the Network Connection and set all IPs (tab IP Addresses) with the desired custom TCP port (4444 in this sample).

 

image.png

 

Configure the SQL service to run under the local Administrator account 'EMSAdmin' (Windows Server administrator).

 

image.png

 

After, the service must be restarted:

 

image.png

 

Run SQL Server Management Studio, use the default Windows Authentication, Trust the certificate (under Advanced Options), and select Connect.

 

avenditti_2-1743015348467.png

 

Go to the top entry (db name), right-click, and select SQL Server and Windows Authentication mode.

 

image.png

 

Go to Security -> Login and right-click New Login.

On the new window, General, add a login name (fcems), select SQL Server authentication and specify a password (Fortinet!). Deselect Enforce password policy.

 

image.png

 

Navigate to the Server Role page and select the following:

  • dbcreator
  • sysadmin
  • public

 

avenditti_5-1743015348472.png

 

Restart the service by selecting the db name, right-clicking it, and selecting Restart.

 

avenditti_6-1743015348474.png

 

Typically, the SQL Server instance service runs under the local system account. Configure the service so that it runs under a local admin account.

 

image.png

 

On the EMS VM:

 

Create a backup directory on the EMS server:

 

See the administration guide for instructions to create the following shared backup directory:


C:\SharedDir\Backup


The backup directory (Backup) will be a sub-directory of a shared directory (SharedDir).

 

Provide permission to the shared directory:

 

Tab Sharing:

 

image.png

 

Ensure the 'Everyone' group was not present. Otherwise, remove it

 

Note:

  • Denying permissions (Full Control / Change / Read) to 'Everyone' means that the database will not be allowed to access the resource.
  • Granting permissions to 'Everyone' means that the database and other devices will be able to access the resource (which is not secure).
  • Removing 'Everyone' ensures that only the specified user can access the resource.

 

Tab Security:

 

image.png

 

Set the Local Security Policy on the EMS VM (WIN+R , then secpol.msc).

 

Allow the same permissions to the Administrator (user) and Administrators (group).
Configure Local Security Policy -> Local Policies -> User Rights Assignment -> 'Log on as a service' to set up EMSAdmin as a Local Security Setting (see the highlighted line in the screenshot below).

 

image.png

 

EMS CLI Installation:

 

To install EMS so that it uses a remote SQL Server instance, use the CLI to specify the correct SQL Server / instance. The following is an example of the command to use for the installation (installation under local administrator account EMSAdmin). It assumes that the installation file FortiClientEndpointManagementServer_7.2.8.1152_x64.exe is located in C:\Users\EMSAdmin\Desktop.

 

C:\Users\EMSAdmin\Desktop>.\FortiClientEndpointManagementServer_7.2.8.1152_x64.exe SQLServer=WS2019EXPDB SQLUser=fcems SQLUserPassword=Fortinet! SQLPort=4444 SQLService=SQLEXPRESS InstallSQL=0 ScriptDB=1 BackupDir=\\WS2019EMS\SharedDir\Backup

 

The command installs EMS pointing to a remote named instance with the following attributes:

  • On a computer with DNS name WS2019EXPDB.
  • Using SQL authentication (SQLUser=fcems and SQLUserPassword=Fortinet!).
  • Custom SQL service port TCP/4444.
  • Not need to install SQL Server/DBMS (InstallSQL=0, it has been pre-installed).
  • DB Creation (instance) demanded to the EMS installer (ScriptDB=1).
  • Backup directory of \\WS2019EMS\SharedDir\Backup (network path format).

 

Certificates.

 

Consider using a specific webserver certificate. To prevent warning message connecting the EMS, the CA certificates have to be imported on the VM that runs EMS (local administration) or the remote host that needs to access the EMS server.

 

To check the proper EMS installation and folder permissions setup, perform a EMS backup (The backup must complete without errors, and the shared folder must contain the backup file).

 

Related documents:
Labels:
551
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.