Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bfig90
New Contributor II

Connect FortiClient EMS to FortiGate

Dear all,

I'm following the guide in order to setup for the first time the FortiClient EMS with my existing architecture ( FortiGate + FortiAuth). 

 

In the docs (https://docs.fortinet.com/document/fortigate/7.2.5/ztna-deployment/374384/connect-the-fortigate-to-e...) is telling that:

 

1- I need to generate a cert. By i do have already EMS Server Certificates (FortiCare). Do i need to generate again using a third party such as godaddy since i do not have an CA ? Or this are the defaults one ?

 

2- How i can publish in the DMZ the FortiEMS ? 


Thank You in advance

#FortiClientEMS

 

1 Solution
AEK

It seems there is no such feature on the GUI.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Request-an-SSL-digital-certificate-from-...

So either do it via CLI or upload certificate + private key.

AEK

View solution in original post

AEK
8 REPLIES 8
AEK
SuperUser
SuperUser

Hello

 

Don't worry about the certificate, connect them as is and they will use Fortinet embedded certificate and it will work fine.

 

Regarding how to publish EMS, you need to create 2 VIP object, one for HTTPS 10443, and one for telemetry 8013, then create 2 firewall rules to authorize the related traffic from outside for the mentioned ports.

In case you are not used to create VIPs, here is how to proceed:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

 

AEK
AEK
bfig90
New Contributor II

So, i would not need to import the root CA of FortiEMS to FortiGate ? What about user endpoints ? Do i need some kind of cert for them also ? Thank You 

AEK
SuperUser
SuperUser

You need to upload a certificate signed by your certificate authority (trusted by your clients) to EMS, and set it as certificate for the web server and endpoint control (EMS Settings).

AEK
AEK
bfig90
New Contributor II

Can i use a certificate from a Third party such as: GoDaddy etc ? If yes, what type of cert should i use ? 

AEK

Yes you can use a public certificate.

It can be DV single domain name or wildcard.

AEK
AEK
bfig90
New Contributor II

I noticed that there is no  GUI on the EMS to generate the csr like FortiGate. Is there a documentation how to do it ?

AEK

It seems there is no such feature on the GUI.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Request-an-SSL-digital-certificate-from-...

So either do it via CLI or upload certificate + private key.

AEK
AEK
bfig90
New Contributor II

Done via CLI 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors