Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jbrashear
New Contributor

Confused about Forticlient EMS server and Fortigate relationship.

Hi all,

 

I'm setting up the SSL VPN for my company and, I'm confused about how the VPN is licensed.  In my previous experience with Fortinet products, you had to have a license for the number of VPN clients you were going to have.  When we bought 4 new 300D's my sales person told me that the licensing is handled by the EMS server now.  I have installed the EMS server and it's licensed for 150 clients.  Where I get confused is how does the Fortigate know about the EMS server, or does it need to?  Honestly, I'm not at the point where I need full enterprise management outside of what the Fortigate can do itself, and all I want is to ensure that I can have more than the 10 users connect.  

 

Do I point the forticlients at the EMS server for telemetry, or the fortigate itself?  If the Fortigate is doing he telemetry, how does it integrate with the EMS?  The only thing I found in the cookbook was for implementing an EMS to manage internal devices on the LAN (ISFW).  Again, all I'm interested in at this point is making sure that more than the default 10 clients can connect to the SSL VPN.  I hope this makes sense.....

 

 

JB

4 Solutions
SteveG
Contributor III

We use EMS to manage our FortiClient installs. Unfortunately our supplier has no idea what licensing is required! They reckon, despite having 1500 EMS licenses we also need licensees on the FortiGates too (we want to enable the FortiClient enforcement on the LAN), although I don't see why. Before we had EMS the FortiClients would register to the FortiGates but we only had the default 10 licenses on each FortiGate so users would end up with an error message once they VPN'd in. Now the FortiClients are registered to EMS the FortiGate registration attempts have stopped. We've been pushing our supplier for a definitive answer for months now, I'm assuming the lack of understanding is on their part as I can't believe FortiNet don't know, it's their product!

 

We've not configured the telemetry feature yet, although all the FortiClients are sending logs to our FAZ. I may be wrong here but it feels to me that FortiNet are trying to remove the reliance on FortiGates when using EMS. We've have no config tie in between EMS and the FortiGates we have. I may be completely wrong though!

 

Confused? I certainly am :o

 

FYI, We have a number of support calls open at the moment as EMS is very buggy. We bravely rolled out FortiClient as the desktop AV here. Once the bugs are fixed it will be a great tool.

View solution in original post

RobertReynolds
Contributor

There are two parts of FortiClient now, Endpoint Management, and Endpoint Telemetry and Compliance. Endpoint management is for configuration management and provisioning of FortiClient profiles (what you used to be able to do on the FortiGate), this is a separate piece of software that runs on a windows server as a member of the domain (The EMS). You get 10 free licenses, and from then on it’s a paid feature. The Telemetry and compliance part is licenses on the FortiGate, this allows you to do some network access control. This also comes with 10 free.

 

Management == EMS

Management and compliance == EMS + Telemetry.

 

To use the FortiClient in standalone SSL VPN mode only, there is no extra licensing required.

View solution in original post

MikePruett
Valued Contributor

I just deployed EMS for a client. They paid the $7 per license and were on their way. We are able to configure and set everything we wanted based on that. Compliance etc included because it will use the EMS for the compliance settings etc.

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
neonbit
Valued Contributor

I've been testing this out in my lab over the last week and my understanding is that if you want to enforce compliance (ie: users can't go through the firewall unless they have AV running, no critical vulnerabilities etc), then you'll need both the EMS license and the FortiGate license.

 

If you just have the EMS server license then you can centrally manage the Forticlients and push out configs, but the FortiGate will not be able to determine if ForitClient is installed and what it's compliance posture is.

 

The FortiClient needs to be registered to the FortiGate for it to determine the compliance posture.

 

To do this with both the FortiGate and EMS Server you'll need to import the FortiClient policy from the FortiGate to the EMS server. The EMS server will then sync the Forticlient policy from the FortiGate every X minutes.

 

On the EMS server you then setup Telemetry IP addresses (ie the FortiGate's IP address) and push them to the FortiClients.

 

Once the FortiClients get this, they will proceed to register to the FortiGate and confirm it's compliance status.

 

The FortiClient's logs and management will still be done through the EMS, but the config will be changed on the FortiGate (so ultimately the EMS server is being used as a proxy between the FortiGate config and FortiClient config). So you make a FortiClient profile change on the FortiGate, it gets updated on the EMS server, it then gets pushed to the FortiClient.

 

If you wanted 100 devices to be have both this central config management and compliance you will need to purchase 100 EMS licenses, plus the FortiClient license on your FortiGate (or FortiGates if you have multiple sites that you want to enforce compliance).

 

Hope it makes sense!

View solution in original post

10 REPLIES 10
SteveG
Contributor III

We use EMS to manage our FortiClient installs. Unfortunately our supplier has no idea what licensing is required! They reckon, despite having 1500 EMS licenses we also need licensees on the FortiGates too (we want to enable the FortiClient enforcement on the LAN), although I don't see why. Before we had EMS the FortiClients would register to the FortiGates but we only had the default 10 licenses on each FortiGate so users would end up with an error message once they VPN'd in. Now the FortiClients are registered to EMS the FortiGate registration attempts have stopped. We've been pushing our supplier for a definitive answer for months now, I'm assuming the lack of understanding is on their part as I can't believe FortiNet don't know, it's their product!

 

We've not configured the telemetry feature yet, although all the FortiClients are sending logs to our FAZ. I may be wrong here but it feels to me that FortiNet are trying to remove the reliance on FortiGates when using EMS. We've have no config tie in between EMS and the FortiGates we have. I may be completely wrong though!

 

Confused? I certainly am :o

 

FYI, We have a number of support calls open at the moment as EMS is very buggy. We bravely rolled out FortiClient as the desktop AV here. Once the bugs are fixed it will be a great tool.

RobertReynolds
Contributor

There are two parts of FortiClient now, Endpoint Management, and Endpoint Telemetry and Compliance. Endpoint management is for configuration management and provisioning of FortiClient profiles (what you used to be able to do on the FortiGate), this is a separate piece of software that runs on a windows server as a member of the domain (The EMS). You get 10 free licenses, and from then on it’s a paid feature. The Telemetry and compliance part is licenses on the FortiGate, this allows you to do some network access control. This also comes with 10 free.

 

Management == EMS

Management and compliance == EMS + Telemetry.

 

To use the FortiClient in standalone SSL VPN mode only, there is no extra licensing required.

SteveG

That's interesting, so if you want to do the telemetry side you also need the (IPSec) VPN licenses on the FortiGate.

MikePruett
Valued Contributor

I just deployed EMS for a client. They paid the $7 per license and were on their way. We are able to configure and set everything we wanted based on that. Compliance etc included because it will use the EMS for the compliance settings etc.

Mike Pruett Fortinet GURU | Fortinet Training Videos
neonbit
Valued Contributor

I've been testing this out in my lab over the last week and my understanding is that if you want to enforce compliance (ie: users can't go through the firewall unless they have AV running, no critical vulnerabilities etc), then you'll need both the EMS license and the FortiGate license.

 

If you just have the EMS server license then you can centrally manage the Forticlients and push out configs, but the FortiGate will not be able to determine if ForitClient is installed and what it's compliance posture is.

 

The FortiClient needs to be registered to the FortiGate for it to determine the compliance posture.

 

To do this with both the FortiGate and EMS Server you'll need to import the FortiClient policy from the FortiGate to the EMS server. The EMS server will then sync the Forticlient policy from the FortiGate every X minutes.

 

On the EMS server you then setup Telemetry IP addresses (ie the FortiGate's IP address) and push them to the FortiClients.

 

Once the FortiClients get this, they will proceed to register to the FortiGate and confirm it's compliance status.

 

The FortiClient's logs and management will still be done through the EMS, but the config will be changed on the FortiGate (so ultimately the EMS server is being used as a proxy between the FortiGate config and FortiClient config). So you make a FortiClient profile change on the FortiGate, it gets updated on the EMS server, it then gets pushed to the FortiClient.

 

If you wanted 100 devices to be have both this central config management and compliance you will need to purchase 100 EMS licenses, plus the FortiClient license on your FortiGate (or FortiGates if you have multiple sites that you want to enforce compliance).

 

Hope it makes sense!

SteveG
Contributor III

That's a great post, you seem to understand the FortiGate/FortiClient/EMS licensing better than Fortinet ;)

 

Having said that I had a lengthy conf call with Fortinet this week and can confirm what you've stated is absolutely correct.

Jim_FH
New Contributor III

Mike:

 

Are you sure you're able to do compliance with the EMS only?  My understanding is what Robert said above...that is you want compliance in addition to management, then you need licenses for the 'gates AS WELL AS on the EMS.  If you can, I'd love to know where that's configured.  

 

They clearly moving towards EMS and away from the Fortigates for endpoint control, and it's frustrating that we can't get both features with one license, preferably the EMS.  

 

thanks,

Jim 

MikePruett
Valued Contributor

Perhaps Fortinet will work deals in situations like that.

 

You do need the Gate to be able to enforce compliance etc for sure. 

 

Mike Pruett Fortinet GURU | Fortinet Training Videos
Jim_FH
New Contributor III

Mike:

 

Yep, i verified that with my rep as well.  My EMS licenses won't work on the Fortigates, and I need more than the 10 free licenses offered.  

 

Too bad, i just can't afford to buy 2x licenses for the amount of clients I have to manage.  Hopefully they will unify the licensing in the future.

 

thanks,

 

Jim

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors