Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RDY77
New Contributor

EMS | use AD groups to update the endpoints with new installation profile

Hello all.

I'm migrating 6.0.8 to 6.2.8 EMS server. On the higher version is available a new feature to read AD user/computer groups.

I associated an installation profile to an AD group named "domain/Forticlient_upgrade" applies new telemetry gateway IP (new EMS) and two different endpoint profiles for on-net and off-net (on-net devices are matched only with private IP).

When I put a PC on the AD group, I expect EMS shows it sending to it the update. Unfortunately, nothing happens and I can see below log on EMS:

 

#################### 2021-06-16 12:52:04 Error AD Service Failed to open TCP connection to ***-dc01.***.it on port 0: System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context 172.17.0.215:0 at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port) at FcmAdDaemon.LdapHelpers.TestConnectivity(String server, Int32 port, PingReply& pingReply, Nullable`1& tcpResponseTime) 6 times since 2021-06-16 12:47:21 ####################

 

What could it be? The traffic from EMS server to AD server doesn't pass through a firewall, but only through a L3 switch. It shouldn't be blocked.

2 REPLIES 2
MeanJean
New Contributor

I'm sorry but did you type the last two lines correctly or is one of those "should"s supposed to be a "shouldn't"?

"The traffic from EMS server to AD server should pass through a firewall, but ony through a L3 switch. It should be blocked."

RDY77
New Contributor

You're right!

I applied a correction:

 

"What could it be? The traffic from EMS server to AD server doesn't pass through a firewall, but only through a L3 switch. It shouldn't be blocked."

 

However I also opened a ticket to Fortinet TAC and maybe I found the problem seems to be not related to that log.

The AD group rule on EMS specify only to link USER AD group and not COMPUTER AD group.

The customer moved some computers in that group and nothing happened, but when he moved a user the update has been sent.

This is a problem, because an user can use different computers and I don't understand what will happen when the same user will login to multiple computers.

Forticlient policies can be different between users and it will be useful if they follow the user login and not the computer, but how many time the user has to wait for his FCT policies anytime he loggins in a new computer?

If on shared PC in a showroom, if users take alternatively control of the PC, what does FCT work?

Labels
Top Kudoed Authors