Below are the details of how to configure of a FortiEMS to deploy on windows machine and how to install it remotely. With the help of AD Server or Work-group, you can install FortiClient in an endpoint machine.With the help of AD server, you can deploy in Windows machine not in Mac Machine.
Supported Forti Device Firmware version
FortiClient EMS : 6.0.2 build 0106
FortiClient : 6.0.2.0128
Scenario :When your organization has 100 or more windows machines, it is difficult to install the manually client and men power is even more used. In such a situation, you have to remotely install the EMS client, which we will do from EMS management server.
You can also do this with the use of AD server group policy to install a Forti client. To install FortiClient you must keep some Windows services up to date.
You have to follow the steps which I am mention here.
You need to check some network connectivity before installing a FortiClient. If there is no connectivity between communicate with the Windows machine and the EMS server then it will not work according.
If the EMS server is in the DMZ network and the Windows machine is in the local network, then you will have to make a allow communication port between the two to connect the connectivity.
Ports List which I mentioned here. Which needs to allow both side. Make sure that Client to Server and Machine to server.
Connectivity is like.
Forti EMS Server —to –Firewall Device —-to — Local Network — to–Windows Machine
- FortiClientendpoint/FortiClient Telemetry — File transfers TCP 8013 (default)
- FortiClient communication — File transfers TCP 8014 (default)
- Samba (SMB) service — Enabled 445 Port
- Remote Procedure Calls (DCE- RPC) — Enabled 135
- Active Directory server — 389 (LDAP) or636 (LDAPS) & 88 (Kerberos Auth.)
- FortiClient download –10443 (default)
- HTTPS TCP 443 & HTTP 80
- ICMP service needs to enable for resolved host name from EMS server.
The service shown below must be compulsory in the Windows machine otherwise the Forti client will not communicate and the setup file will not be put in the machine from EMS server.
- Task Scheduler: Automatic
- Windows Installer: Manual
- Remote Registry: Automatic
The inbound rule shown below should be made in the local windows machine firewall. This rule can also be made from AD or you can enabled this rules from local machine firewall also. But you have to ensure that no override rule in firewall otherwise it will impact in your production environment.
- File and Printer Sharing (SMB-In)
- Remote Scheduled Tasks Management (RPC)
Now after all the communication ports are added, you will be able to deploy the client from EMS server.
Login in Forti EMS server console.
Step 1. First of all, you have to make installer setup.
Go To — Profile Components — Manage Installers —–Click on ADD button.
Step 2. After the installer setup has been created, go to Manage Profile
Go to — Endpoint Profile — Manage Profile —Click on ADD button to create new profile.
Once you created new profile. Go to the FortiClient Deployment option in created profile.
Step 3. Enable FortiClient Deployment option.
Once you enabled it. Select the installer which you created in step 1.
Schedule as per your requirement.
Assigned credential which is root domain credential that have full rights in domain controls.
Step 4. Select Windows machine from Endpoint section
Go to —-Endpoints — All Endpoints —- Select Endpoint machine with host name.
Search endpoint machine and move it to custom created group. Custom group must be create in under domain group only.
Step 5. Assigned Profile to custom created group.
Go to —Domain —–Select custom profile —- rights click to assign manage profile.
Once you assigned profile to group. FortiClient will automatically deploy on schedule time to windows machine.
If EMS deployment actually started on the endpoint, an installation log file is created in c:\Windows\FortiEMSInstaller.
You can check it in windows machine and verify the serial number is registered in Fortinet Support portal.
If you like posted article please like, share and comment.