|
FortiClient EMS has a feature to host an HTTPS installer link for custom FortiClient packages: Adding a FortiClient installer | FortiClient 7.4.3 | Fortinet Document Library
This feature is used when an On-premise FortiClient EMS Server sends out FortiClient upgrade instructions to FortiClient endpoints. Remote endpoints that are outside the network where the EMS server is hosted will need to access the installer link to download the new version of FortiClient.
This article describes how to make the FortiClient EMS installer link publicly available for remote endpoints, and also assumes that the FortiClient EMS server is hosted behind the FortiGate and the desired FortiClient installer package has already been created.
- The FortiClient EMS installer link URL can be found through the EMS system settings under FortiClient EMS GUI -> System Settings -> FortiClient EMS Settings -> Check the FortiClient download URL option.
- Check if the FortiGate can telnet to the EMS installer IP address and port to confirm connectivity:
exe telnet x.x.x.x 10443
- Create a VIP object that maps the FortiGate external WAN interface to the internal private IP of the on-prem FortiClient EMS server under FortiGate GUI -> Policy & Objects -> Select Create New.
Select the desired WAN interface for the 'interface' option and enter the corresponding WAN interface IP address.
Enter the internal FortiClient EMS installer link IP for the 'Map To' option.
- Enable port forwarding and enter the desired external port with the corresponding default port '10443' configured on FortiClient EMS for the 'Map to IPv4 port. Create a firewall policy on the FortiGate to allow the VIP object for remote endpoints. The incoming interface should be the WAN interface, and the outgoing should be the internal LAN interface under FortiGate GUI -> Policy & Objects -> Firewall Policy -> Select Create New.
For the destination object, ensure that the new VIP object is selected to allow for the rule to work correctly.
- Test the connection from a remote endpoint and check if the installer link is accessible. Ensure to replace the private IP address with the public IP address when adjusting the URL for testing: https://x.x.x.x:10443/installers/default/<installername>
FortiClient endpoints will use the installer link configured on the EMS server.
It is necessary to configure the EMS server to use an FQDN for the installer link, which externally resolves to the FortiGate public IP, for this setup to work correctly. It may be required to publish the FQDN to a public DNS server.
The following document can be used for more information on setting up an FQDN on FortiClient EMS: Configuring EMS after installation | FortiClient 7.2.4 | Fortinet Document Library
Once the FortiClient EMS server has been configured with an externally resolvable FQDN, the final result should be that endpoints can access the installer link with a FQDN.
From here, the FortiClient ESNAC process will use this link to download the respective installer package to complete the upgrade process.
Related documents:
Technical Tip: Virtual IP (VIP) port forwarding configuration
Deploying FortiClient upgrades from FortiClient EMS | FortiClient 7.4.3 | Fortinet Document Library
|
