Technical Tip: FortiGate cannot establish the EMS ...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 390889

Description

This article describes why the FortiGate cannot establish the Fabric Connector with the FortiClient EMS behind a FortiWeb.

Scope

FortiGate, FortiWeb, FortiClient EMS.

Solution

In a certain scenario, the Fabric Connector communication between FortiGate and FortiClient EMS could be broken by the devices in between, such as a FortiWeb (with SSL offloading applied in the reverse proxy mode) or a FortiGate configured with a Virtual Server in Half SSL offloading mode.

A simple diagram is shown below:

Client FortiGate --> FortiWeb(SSL offloading) --> FortiClient EMS

Since it is a mutual authentication (aka two-way authentication) between FortiGate and FortiClient EMS, the client FortiGate certificate is malformed by FortiWeb SSL offloading, and then FortiClient EMS can't validate the client FortiGate certificate. Hence, no authorisation occurs on FortiClient EMS.

To mitigate the issue, avoid SSL offloading on the devices.

366

Contributors

GW
Anthony_E

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: FortiGate cannot establish the EMS connector

You are leaving our website