Hi Forum.
In FortiClient EMS I have configured Deployment as per Documentation. I have configured two "schedules" in Deployment > Manage Deployment - one for deployments and one for withdrawals/uninstallations. The Deployment-schedule is assigned to the group ad.local.site/EMS-Deployment. I have a dedicated Domain Administrator sa-fg-ems and entered the credentials of it into the configuration in EMS. I can connect to the admin-share of the designated clients with the credentials of sa-fg-ems. I have two clients in the group ad.local.site/EMS-Deployment. Deployment tries to install the package but I get only error notifications (behind the bell icon in EMS). The error message is:
Failed to install FortiClient on ad.local.site\NXITOPS.ad.local.site. Error code=210 (Wrong credentials to log onto the remote device, or network discovery is disabled on the remote device.)
I tried the credentials with username and with ad\username. Both don't work. How can I fix this?
best regards
Kai
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I hadn't thought of that I have placed my EMS server in a DMZ. So I had to open some ports from the EMS server to the inside. This picture helped alot:
"Wrong credentials" is very misleading. ;)
We are running a similar setup to yours and are considering FortiClient with EMS. Did you ever consider using the EMS-Cloud version? For our remote endpoints that solution would give us the visibility we need into our remote clients. I believe you can add fabric connectors for both an on-prem EMS and the cloud EMS at the same time. Just curious, as we gather information to make a decision.
No, this is my initial setup. I'm still trying to make all the pieces fit together. I have still some open issues. Neither th compliances rules nor the group assignment rules kick in. Clients "off-fabric" don't connect to miy FortiGate, even though the IP and telemetry port is reachable from the outside. I don't know if this makes any difference with FortiClient 6.4.0+. I'm always unsure, if any of the problems I have is, because I'm lacking the "Security Fabric" feature (see below).
The next open construction site is 2FA with FortiTokens. On the FortiGate, I have configured the same AD twice. One with sAMAccountName and one with UserPrincipalName (E-Mail address) as the UserID. I have authorized an AD group for a VPN and this works well without 2FA. User from the configured AD group can authenticate the VPN with username or E-Mail address. When I add a LDAP-user in the FortiGate to the group, I can attach a FortiToken only to sAMAccountName or UserPrincipalName, but not both. Even worse, the username from the VPN is case sensitive. So when using the E-Mail address (UPN), FortiClient asks for the Token only when the username is entered exactly as configured in the FortiGate. Otherwise it authenticates using the group-membership without asking for a token. Here it is case-insensitive!
On the FortiGate I miss many advertised features, especially "Security Fabric". I learnt, that it won't work with multiple VDOMS, what's funny, since VDOMs is one of the advertised features as well. Some features, e.g. central SNAT only work in policy mode. So I tried to change my FortiGate from profile mode to policy mode as described in the manual. But instead of converting my 'IPv4 Rules' into 'Security Rules', all rules were deleted and I had to restore my configuration from backup.
All in all - very frustrating.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.