emmm... So what? I need open port from the internet to my AD servers?

So how can i do this safely? bcs open port to AD servers is not very secure options.

You have to indeed open port to at least your EMS Cloud server public IP.
You can locate your EMS public IP in the about tab at the bottom left when you login to EMS Cloud.

Still not very safe if someone spoof ip adress.

Did you ever get this implemented? I don't understand which IP to use on the EMS Cloud config to see the internal AD Server? I've found my public address for EMS Cloud to allowlist to the internal AD server - but how would EMS Cloud know how to route to the internal address of the AD Server?

Well, first you have to open ports for LDAP(s) on some your public IP, and instead of opening it to all (internet), you will use as source IP your Public IP of FortiClient EMS Cloud. 

That appears to be for On-prem EMS. Is there an option for cloud EMS?

Hi @smalls ,

AD Connector can be setup for EMS Cloud as well. In fact the purpose for AD Connector is usually for EMS Cloud, but it is still very niche usage, since it increases management overhead (you will have to upgrade Connector version when EMS version is upgraded).