Technical Tip: Simplify FortiClient EMS setup

Shilpa1 · ‎09-24-2020

Description
EMS configurations are now centralized under one configuration card on the Fabric Connectors page.
Certificates are the main mode of authentication and authorization.
The certificate validity is verified against the issuer CA, and then presented to the user to authorize.
A certificate attribute has been added to endpoint-control fctems, and EMS certificates can be verified with # execute fctems verify.

This article describes how to simplify FortiClient EMS setup.

Scope
The following examples presume the EMS certificate has already been configured.
Solution
To configure an on-premise FortiClient EMS server to the Security Fabric in the GUI.

1) On the root FortiGate, go to Security Fabric -> Fabric Connectors.
2) Select 'Create New' and select 'FortiClient EMS'.
3) For Type, select 'FortiClient EMS'.
4) Enter a name and IP address.
5) Select 'OK'.

A window appears to verify the EMS server certificate:

6) Select 'Accept'.

The FortiClient EMS Status section displays a Successful connection and an Authorized certificate:

To configure a FortiClient EMS Cloud server to the Security Fabric in the GUI.

1) Go to Security Fabric -> Fabric Connectors.
2) Select 'Create New' and Select 'FortiClient EMS'.
3) For Type, select 'FortiClient EMS Cloud'.
4) Enter a name.
5) Select 'OK'.

A window appears to verify the EMS server certificate.

6) Select 'Accept'.

The FortiClient EMS Status section displays a Successful connection and an Authorized certificate.

To configure an on-premise FortiClient EMS server to the Security Fabric from CLI.

# config endpoint-control fctems
    edit "ems138"
        set server "172.16.200.138"
        set certificate "REMOTE_Cert_1"
    next
end

To configure a FortiClient EMS Cloud server to the Security Fabric from CLI.

# config endpoint-control fctems
    edit "Cloud_EMS"
        set fortinetone-cloud-authentication enable
        set certificate "REMOTE_Cert_1"
    next
end

To verify an EMS certificate from CLI.

# execute fctems verify ems137

        Subject:     C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN = sys169.qa.fortinet.cm, emailAddress = xxxx@xxxxxxxx.xxx
        Issuer:      CN = 155-sub1.fortinet.com
        Valid from: 2017-12-05 00:37:57 GMT
        Valid to:    2027-12-02 18:08:13 GMT
        Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0
        Root CA:     No
        Version:     3
        Serial Num:
                01:86:a2
        Extensions:
                Name:     X509v3 Basic Constraints
                Critical: yes
                Content:
                CA:FALSE

                Name:     X509v3 Subject Key Identifier
                Critical: no
                Content:
                35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4

                Name:     X509v3 Authority Key Identifier
                Critical: no
                Content:
                keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1
DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fortinet.com
serial:01:86:A4

                Name:     X509v3 Subject Alternative Name
                Critical: no
                Content:
                DNS:sys169.qa.fortinet.cm

                Name:     X509v3 Key Usage
                Critical: no
                Content:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only

                Name:     X509v3 Extended Key Usage
                Critical: no
                Content:
                TLS Web Server Authentication, TLS Web Client Authentication

EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y