Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miciti
New Contributor III

FortiClient EMS: prevent unknown devices from connecting?

Hello everyone,

I am new to FortiClient EMS and currently in a roll-out state.

 

How do I prevent unwanted computers from connecting to the EMS? (EMS on-prem, running in a DMZ and public available to the internet)

 

In theory someone can install FortiClient and connect to our EMS.

I do install FortiClient for our users because they do not have admin privileges - so I did not enable user verification.

 

Is there any other way to prevent unwanted devices from connecting to EMS?

1 Solution
btan

Hi miciti,

 

Yes correct, an invitation code.

Yes, you can use the 'switch by invitation' method.
Be careful when enabling 'enforce invitation-only registration'. If this option is enabled, if there is any endpoint who is currently joined to EMS using IP/FQDN, they all will be disconnected.

Regards,
Bon

View solution in original post

12 REPLIES 12
Hartza
New Contributor II

I'm still wondering if it's really so that the Forticlient can't be installed in a user-friendly way, where the user doesn't have to do anything else than log in to register to EMS cloud. It's just hard to believe :)

btan
Staff
Staff

There is an option to set a 'telemetry-key' (something like password) when joining to EMS, only those who have the 'telemetry-key' can join to EMS.

Refer: https://docs.fortinet.com/document/forticlient/7.2.5/ems-administration-guide/319002/configuring-ems...
*look for 'FortiClient telemetry connection key'

Regards,
Bon
bfig90
New Contributor III

Hello everyone, i'm trying also to solve this by limiting only the invited user to enroll to the ems. Reading the manual guide i cannot really follow the logic since it keep redirecting me from one link to the other. So far i have done this:

1- I have added my domain

2- In User Management i have authorized only the groups i want ( each user who can connect to VPN must be member of and AD group. This is due to Forti Auth )

3- In menu Endpoints > Invitation i have created a individual invitation (just for test purposes). The verification type i have selected Domain and it asks me to select the single user.

 

Is this enough ? Since, i get my email invitation but i have tried to enter my ldap credentials and it want authenticate. I have tried: my username; my domain/my username; my email address but still it want authenticate 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors