Description

This article describes how to simplify the FortiClient EMS setup.

EMS configurations are now centralized under one configuration card on the Fabric Connectors page.
Certificates are the main mode of authentication and authorization.
The certificate validity is verified against the issuer CA, and then presented to the user to authorize.
A certificate attribute has been added to endpoint-control fctems, and EMS certificates can be verified with execute fctems verify.

Scope

The following examples presume the EMS certificate has already been configured.

Solution

To configure an on-premise FortiClient EMS server to the Security Fabric in the GUI.

1. On the root FortiGate, go to Security Fabric -> Fabric Connectors.
2. Select 'Create New' and select 'FortiClient EMS'.
3. For Type, select 'FortiClient EMS'.
4. Enter a name and IP address.
5. Select 'OK'.
   

 

6. Select 'Accept'.

The FortiClient EMS Status section displays a Successful connection and an Authorized certificate:

 

 

To configure a FortiClient EMS Cloud server to the Security Fabric in the GUI.

 

1. Go to Security Fabric -> Fabric Connectors.
2. Select 'Create New' and Select 'FortiClient EMS'.
3. For Type, select 'FortiClient EMS Cloud'.
4. Enter a name.
5. Select 'OK'.

 

 

A window appears to verify the EMS server certificate.

6. Select 'Accept'.

The FortiClient EMS Status section displays a Successful connection and an Authorized certificate.

 

To configure an on-premise FortiClient EMS server to the Security Fabric from CLI.

 

config endpoint-control fctems
    edit "ems138"
        set server "172.16.200.138"
        set certificate "REMOTE_Cert_1"
    next
end

 

To configure a FortiClient EMS Cloud server to the Security Fabric from  CLI.

 

config endpoint-control fctems
    edit "Cloud_EMS"
        set fortinetone-cloud-authentication enable
        set certificate "REMOTE_Cert_1"
    next
end

 

To verify an EMS certificate from CLI.

 

execute fctems verify ems138-

        Subject:     C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN = sys169.qa.fortinet.cm, emailAddress = xxxx@xxxxxxxx.xxx
        Issuer:      CN = 155-sub1.fortinet.com
        Valid from:  2017-12-05 00:37:57  GMT
        Valid to:    2027-12-02 18:08:13  GMT
        Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0
        Root CA:     No
        Version:     3
        Serial Num:
                01:86:a2
        Extensions:
                Name:     X509v3 Basic Constraints
                Critical: yes
                Content:
                CA:FALSE

                Name:     X509v3 Subject Key Identifier
                Critical: no
                Content:
                35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4

                Name:     X509v3 Authority Key Identifier
                Critical: no
                Content:
                keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1
DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fortinet.com
serial:01:86:A4


                Name:     X509v3 Subject Alternative Name
                Critical: no
                Content:
                DNS:sys169.qa.fortinet.cm

                Name:     X509v3 Key Usage
                Critical: no
                Content:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only

                Name:     X509v3 Extended Key Usage
                Critical: no
                Content:
                TLS Web Server Authentication, TLS Web Client Authentication

EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y

 

Note:
With newer versions of FortiGate, it is necessary to upload the EMS server CA certificate onto FortiGate to avoid certificate errors.