FortiClient EMS

The EMS is a new product from Fortinet for businesses to manage their endpoints. It runs on a Windows Server, not requiring a physical Fortinet device. Administrators may use it to gain insight into the status of their endpoints.

For information on FortiClient EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Configuring endpoint registration over a VPN

FortiGate/EMS can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnelmode SSL VPN. After the user authenticates, the FortiGate/EMS sends the FortiClient application the IP address and port to be used for registration. If the user accepts the invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser can be redirected to a captive portal to download and install the FortiClient software. The security policy must enable Compliant with FortiClient Profile and disable Captive Portal Exempt.

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

To enable endpoint registration while configuring the VPN (FortiGate):

Enable Allow Endpoint Registration on the Network page of the VPN Wizard when creating the FortiClient VPN.

To enable endpoint registration on an existing VPN (FortiGate):

1. Go to System > Network > Interfaces and edit the VPN’s tunnel interface. The tunnel is a subinterface of the physical network interface.
2. In Administrative Access, make sure that FCT-Access is enabled.
3. Select OK.

Endpoint registration on the SSL VPN

To enable endpoint registration on the SSL VPN (FortiGate):

1. Go to VPN > SSL-VPN Portal.
2. Make sure Enable Tunnel Mode is enabled.
3. Optionally, enable Include FortiClient Download.

 

Remembered FortiGate/EMS

Users who access the VPN with a browser will be able to download FortiClient Endpoint Security for their device.

4. Select Apply.

Remembered FortiGate/EMS

FortiClient 5.0.1 or later adds the option to remember up to 20 FortiGate/EMS when accepting the broadcast registration message. FortiClient can remember and register to multiple FortiGate/EMS devices. This feature enables users to move freely between office locations and register conveniently to each FortiGate/EMS.

When prompted to enter a registration key, FortiClient can remember the registration password.

Select the user name in the console to view information about the current registered device including the IP address, serial number, endpoint user, domain, and hostname.

Forget a remembered FortiGate/EMS:

1. In the FortiClient console, click on the registered device name to display the registration dialog box.
2. Select Show Remembered FortiGate/EMS to show a list of FortiGate/EMS that FortiClient has previously registered with.
3. Select Forget next to the device that you would like to remove from the remembered list.

When selecting to forget a FortiGate/EMS, FortiClient will not automatically register to the FortiGate when re-connecting to the network. When the device is detected, you will be prompted to accept registration.

Unregister from FortiGate/EMS:

1. In the FortiClient console, click on the registered device name to display the registration details. The Registration dialog box opens.
2. Select Unregister in the registration dialog box. A confirmation dialog box is displayed.

Remembered FortiGate/EMS

3. Select Yes to unregister FortiClient from the FortiGate selected.

When selecting to unregister from FortiGate, FortiClient will automatically register with the FortiGate when re-connecting to the network. To prevent this behavior, you must select to Forget the device.

Roaming clients (multiple redundant gateways) example

The following figure illustrates three corporate FortiGate networks. Each FortiGate can reach each other over a WAN network. FortiClient can only reach one FortiGate at a time. FortiClient may connect directly to the FortiGate or through a NAT device.

Roaming clients topology

If FortiClient connects through a NAT device to the FortiGate, do not enforce endpoint control compliance on the FortiGate.

On each of the three FortiGate devices configure the following:

Remembered FortiGate/EMS

l Interface IP addresses l FortiClient profile l Device identification in the interface l FortiClient profile in the applicable firewall policy l Endpoint control synchronization

Endpoint control synchronization allows you to synchronize endpoint control for multiple FortiGate devices. To enable endpoint control synchronization via the CLI enter the following commands on your FortiGate:

config endpoint-control forticlient-registration-sync edit 1 set peer-ip 172.20.52.19

next edit 2

set peer-ip 172.22.53.29

end

end

The IP addresses set for the peer-ip field are the WAN IP addresses for each of the FortiGate devices in the synchronization group.

You need to add the following XML configuration to FortiClient for this synchronization group. Modify the configuration file to add the following:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The IP addresses are the internal IP addresses for each of the three FortiGates in the synchronization group. FortiClient can reach any of these IPs, one at a time.

If the three FortiGate devices share the same DNS name, use the following XML configuration:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Fortinet Americas</name>

<addresses>fct_americas.fortinet.com</addresses> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

The DNS server should return one reachable FortiGate IP address for the domain name used.

You will need to manually add FortiClient to the synchronization group when FortiClient initially registers with the FortiGate. Once added, no further action is required.

On your FortiGate, use the following CLI command to list all registered FortiClient endpoints:

diagnose endpoint registration list registered-forticlients

View FortiClient registration in the FortiGate GUI or EMS

FortiClient #1 (0):

UID = BE6B76C509DB4CF3A8CB942AED200000

vdom = root status = registered

registering time = Fri May 2 15:00:07 2014 registration expiry time = none source IP = 172.172.172.111 source MAC = b0:ac:6f:70:e0:a0

user = user

host OS = Microsoft Windows 7 , 64-bit

restored registration = no remote registration = yes registration FGT = FGT60C3G11000000 Total number of licences: 10

Total number of granted licenses: 1

Total number of available licences: 9

The remote registration entry indicates whether this specific FortiClient is registered to this FortiGate, or to another FortiGate within the synchronization group.

If any of the FortiGate devices require a password to complete registration, you can use the following XML configuration to provide password information to FortiClient:

<forticlient_configuration>

<endpoint_control>

<!– List of redundant FortiGates, since 5.0.2 –>

<fortigates>

<fortigate>

<name>Corporate Network</name>

<addresses>10.18.51.9;10.20.52.19;10.22.53.29</addresses>

<registration_password>uNbre@kab1e</registration_password> </fortigate>

</fortigates>

</endpoint_control>

</forticlient_configuration>

View FortiClient registration in the FortiGate GUI or EMS

You can view all registered FortiClient agents in the FortiGate GUI or EMS.

On FortiGate, each new registration will be automatically added to the device table. To view registered devices go to User& Device > Device List. The state for the new FortiClient registration is listed as Registered. Alternatively, go to Monitor > FortiClient Monitor.

To view registered endpoints in EMS, select Workgroups > All Groups.

Configure the FortiGate/EMS IP address in FortiClient for registration

The FortiClient administrative user can specify a FortiGate/EMS IP address for registration and client configuration management. When an unregistered FortiClient starts up, FortiClient will list all reachable FortiGate/EMS for endpoint control registration in the registration drop-down list. The list will include any

FortiGate/EMS that sends endpoint control broadcasts. Select the registration button in the FortiClient console to

Enable FortiClient endpoint registration key password (optional)

list discovered FortiGate/EMS. Any IP address provided in the Settings page under the Registration element is included in the list.

To configure a FortiGate/EMS IP address in FortiClient, select the RegisterEndpoint button in the FortiClient console. In the Specify Address field, enter the IP address and port number (if required) of the FortiGate/EMS’s internal interface, and select the Go icon.

Enable FortiClient endpoint registration key password (optional)

You can configure a registration key password for FortiClient endpoint registration to FortiGate devices. Upon registering to FortiGate/EMS, the user will need to enter the registration key password before registration can be completed.

Enable registration key password requirement on registration (FortiGate):

1. On your FortiGate device, go to System > Config > Advanced.
2. Under FortiClient Endpoint Registration, select Enable Registration Key forFortiClient and enter a registration key password.
3. Select Apply to save the setting.

Alternatively, you can configure this via the CLI. On your FortiGate device, go to System > Dashboard > Status. Enter the following the CLI command in the CLI Console widget:

config endpoint-control settings set forticlient-key-enforce enable set forticlient-reg-key <password> end

Update FortiClient registration license on FortiGate

4. When FortiClient users attempt to register with FortiGate, they will receive the Registering to FortiGate dialog box. The user will need to enter the registration key password you configured before they can register to FortiGate.

Enable registration key password requirement on registration (EMS):

1. On your EMS, select View > Endpoint Registration IP List.
2. Edit an existing list, or select Add to create a new list.
3. Enable Registration Key, enter the key, then confirm the key.

FortiClient will use that key to register to FortiGates on the list.

4. Select Save to save your changes.

Display or hide the FortiClient profile details

You can select to display or hide the FortiClient profile details in the Registering to FortiGate page. When disabled, the user will not be able to view the profile details prior to completing registration to FortiGate.

To display or hide the FortiClient profile details:

1. On your FortiGate device, go to System > Dashboard.
2. Enter the following the CLI command in the CLI Console widget: config endpoint-control profile edit <profile name>

config forticlient-winmac-settings set view-profile-details {enable | disable}

end

end

Update FortiClient registration license on FortiGate

To update the FortiClient registration license on FortiGate, use the following CLI command:

execute FortiClient-NAC update-registration-license <license key/activation code>

Endpoint registration with AD user groups

The user’s AD domain name and group are both sent to the FortiGate/EMS during endpoint registration. Administrators may configure the FortiGate/EMS to deploy endpoint and/or firewall profiles based on the end user’s AD domain group.

The following steps are discussed in more details:

• Configure users and groups on your AD server l Configure your FortiAuthenticator

 

registration with AD user groups

• Configure your FortiGate/EMS l Connect to the FortiGate/EMS using FortiClient endpoint l Monitoring client registrations

Configure users and groups on your AD server

Create the user accounts and groups on the AD server. Groups may have any number of users. A user may belong to more than one group at the same time.

Configure your FortiAuthenticator

Configure FortiAuthenticator to use the AD server that you created. For more information see the FortiAuthenticator Administration Guide in the Fortinet Document Library.

Configure your FortiGate/EMS

FortiGate

Add the FortiAuthenticator or Fortinet Single Sign-On Agent (FSSO):

1. Go to User& Device > Single Sign-On.
2. Select Create New in the toolbar. The New Single Sign-On Server window opens.
3. In the type field, select Fortinet Single-Sign-On Agent.
4. Enter the information required for the agent. This includes the name, primary and secondary IP addresses, and passwords. Select an LDAP server in the drop-down list if applicable. Select More FSSO agents to add up to three additional agents.
5. Select OK to save the agent configuration.

Create a user group:

1. Go to User& Device > UserGroups.
2. Select Create New in the toolbar. The New UserGroup window opens.
3. In the type field, select Fortinet Single-Sign-On (FSSO).
4. Select members from the drop-down list.
5. Select OK to save the group configuration.

Endpoint registration with AD user groups

Configure the FortiClient profile:

1. Go to Security Profiles > FortiClient Profiles.
2. Select Create New in the toolbar. The New FortiClient Profile window opens.
3. Enter a profile name and optional comments.
4. In the Assign Profile To drop-down list select the FSSO user group(s).
5. Configure FortiClient configuration deployment as required.
6. Select OK to save the new FortiClient profile.

Create any number of FortiClient profiles with different groups and different settings. The default profile will be assigned to users who register successfully but have no matching FortiClient profile.

Configure the firewall policy:

Configure the firewall policy as described in Configure endpoint management on page 39. Ensure that Compliant with FortiClient Profile is selected in the policy.

EMS

Add a new domain:

1. Under the Endpoints heading, in the Domains section, select Add a new domain. The Domain Settings window opens.
2. Enter the domain information as required.
3. Select Test to confirm functionality, then, if successful, select Save to add the domain.

The domains groups will automatically be populated in the Workgroups section under the Endpoints heading.

For more information, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.

Connect to the FortiGate/EMS using FortiClient endpoint

The Microsoft Windows system on which FortiClient is installed should join the domain of the AD server configured earlier. Users may log in with their domain user name.

Following this, FortiClient endpoint registrations will send the logged-in user’s name and domain to the FortiGate/EMS. The FortiGate/EMS will assign the appropriate profiles based on the configurations.

Monitoring client registrations

The following FortiOS CLI command lists information about registered clients. This includes domain-related details for the client (if any).

diagnose endpoint record-list Record #1:

IP_Address = 172.172.172.111(1)

MAC_Address = b0:ac:6f:70:e0:a0

Host MAC_Address = b0:ac:6f:70:e0:a0

MAC list = b0-ac-6f-70-e0-a0;

VDOM = root

Registration status: Forticlient installed but not registered

Online status: offline

registration with AD user groups

DHCP on-net status: off-net

DHCP server: None

FCC connection handle: 6

FortiClient version: 5.1.29

AVDB version: 22.137

FortiClient app signature version: 3.0

FortiClient vulnerability scan engine version: 1.258

FortiClient feature version status: 0

FortiClient UID: BE6B76C509DB4CF3A8CB942AED2064A0 (0)

FortiClient config dirty: 1:1:1

FortiClient KA interval dirty: 0

FortiClient Full KA interval dirty: 0

FortiClient server config: d9f86534f03fbed109676ee49f6cfc09:: FortiClient config: 1

FortiClient iOS server mconf:

FortiClient iOS mconf:

FortiClient iOS server ipsec_vpn mconf: FortiClient iOS ipsec_vpn mconf:

Endpoint Profile: Documentation

Reg record pos: 0 Auth_AD_groups:

Auth_group:

Auth_user:

Host_Name:

OS_Version: Microsoft Windows 7 , 64-bit Service Pack 1 (build 7601) Host_Description: AT/AT COMPATIBLE Domain:

Last_Login_User: FortiClient_User_Name Host_Model: Studio 1558 Host_Manufacturer: Dell Inc.

CPU_Model: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz

Memory_Size: 6144

Installed features: 55 Enabled features: 21 online records: 0; offline records: 1

status — none: 0; uninstalled: 0; unregistered: 1; registered: 0; blocked:]

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!