FortiClient EMS | Remote Installation

Nenad · ‎12-12-2018

Hi everyone.

I was wondering is someone could please assist with the issue I have been experiencing when trying to distribute FortiClient through hub and spoke environment from EMS server:

We have 200 EMS licenses. (I am aware that in order to obtain a full telemetry compliance, one would have to purchase 2x the amount of licences, both for FGT and FEMS, sadly.)

All branches are connected via IPsec to HO. (static IP P1)

Branch domain has been imported on the EMS server and all the machine objects enumerated. I have created the following on FEMS / FGT:

[ol]

Branch Gateway, to point to the internal gateway of branch FGT**

Branch Profile with the installer which points to [link]https://server_ip:8013[/link]

Both Gateway and the Domain Profiles have been assigned to the branch domain

Branch firewall is pointing to the local IP address of the EMS server based at HO (with correct S/N)

Since push installation from EMS server didn’t work, I did deployment through GPO policy of the .msi package and it had propagated on the local domain

I made all exclusions for the internal IP address of the EMS server on the branch host’s windows firewall[/ol]

Diagnostics done:

[ol]

All protocols otherwise operational between branch hosts

When doing packet sniffer on both FGT’s I can see that the hub firewall is resetting packets outbound when from the branch – not sure why?

*On EMS, I tried swopping the Listed Gateways, to point to the HO firewall, but no luck.

On the EMS server, all computers show with “No IP” and “No connectivity” icons.[/ol]

Can someone please assist with this one?

Not sure if the EMS server must be published on the WAN port of the HO firewall in order for this to work?

Thank you.

SteveG · ‎12-13-2018

If you have a FC install on a PC on the internal network does that register successfully with EMS?