Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bfig90
New Contributor III

New to FortiEMS

Dear all,

 

I'm new to FortiEMS. I have done the fresh installment as a VM using the trial license. 

Our current architecture is: FortiGate + FortiAuthenticator.

 

The user are connecting to VPN (SSL-VPN) using FortiGate + FortiClient and FortiAuthenticator as a MFA.

 

We want also to add FortiEMS as a layer to do a posture check for the device prior of giving them permissions to connect remotely to the company resources. We have users with a company joined AD laptop + BYOD devices.

 

I'm trying to understand:

 

1- Where will the FortiEMS stand in the "big picture" at the architecture level ? Will it replace any of the components ?

2- Do i need to connect FortiEMS with FortiGate ? If yes, will i have any impact since i do not have a test env and FortiGate is directly in production.

3- Do i need anymore the FortiAuthenticator ? 

 

Thank You in advance 

#FortiEMS

 

2 Solutions
AEK
SuperUser
SuperUser

Hello

 

1- You put FortiClient EMS typically in the DMZ, since it is accessible from outside (HTTPS for client download + telemetry for external clients).

As you may know FortiClient has multiple features (VPN, AV, Vulerability scan, ZTNA and so), and one of the components it may replace on your clients is the anti-malware, if needed.

 

2- You need to connect EMS to FortiGate via fabric connector without any risk and this will have no impact on the production.

 

3- FortiClient EMS will not replace FortiAuthenticator, as EMS doesn't do central authentication, certificate authority, RADIUS, MFA, token management and so. If you are using FAC then you will continue to use it as before.

 

Hope it helps.

AEK

View solution in original post

AEK
AEK

In case you have "FortiClient VPN" on the clients or an older "FortiClient" version then yes you will need to replace it.

AEK

View solution in original post

AEK
3 REPLIES 3
AEK
SuperUser
SuperUser

Hello

 

1- You put FortiClient EMS typically in the DMZ, since it is accessible from outside (HTTPS for client download + telemetry for external clients).

As you may know FortiClient has multiple features (VPN, AV, Vulerability scan, ZTNA and so), and one of the components it may replace on your clients is the anti-malware, if needed.

 

2- You need to connect EMS to FortiGate via fabric connector without any risk and this will have no impact on the production.

 

3- FortiClient EMS will not replace FortiAuthenticator, as EMS doesn't do central authentication, certificate authority, RADIUS, MFA, token management and so. If you are using FAC then you will continue to use it as before.

 

Hope it helps.

AEK
AEK
bfig90
New Contributor III

Thank You for your response. Having this in mind, the only thing i need to do is to replace the existing FortiClient on user's endpoint with the new one ?

AEK

In case you have "FortiClient VPN" on the clients or an older "FortiClient" version then yes you will need to replace it.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors