Problem:

When trying to authorize Azure-Hosted FortiClient EMS from FortiGate, the following errors show in the GUI:

Run the following real-time debug commands on FortiGate:

diagnose debug reset

diagnose debug application fcnacd -1

diagnose debug enable

The following errors will be shown in the CLI:

[ec_ez_worker_process:353] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"
[ec_ez_worker_process:412] Call completed with failure.
obj-id: 0, desc: "REST API to get EMS Serial Number.", entry: "api/v1/system/serial_number".
error info: Error (-1@__generic_process_result_ex:150). EMS server certificate is not signed by any known CA.
'Failed to verify the certificate for server 'fcemas_srv' with Error (-1@_get_capabilities:471)'

Solution:

When using FortiClient EMS server FQDN in Azure Cloud, check the DNS server in Azure to make sure it is capable of resolving the FortiClient EMS server FQDN. Additionally, FortiGate itself needs to be able to resolve the FortiClient EMS server FQDN that is hosted in Azure cloud.

As a workaround, the IP address of FortiClient EMS can be used and it should work as long as there is reachability between FortiGate and FortiClient EMS.