Category Archives: FortiClient

FortiClient EMS – Enterprise Management Server

FortiClient EMS – Enterprise Management Server

FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It provides visibility across the network to securely share information and assign security profiles to endpoints. It is designed to maximize operational efficiency and includes automated capabilities for device management and troubleshooting.

FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints. Benefits of deploying FortiClient EMS include:

Communication Service Protocol Port
FortiClient endpoint registration File transfers TCP 8013 (default)
Computer browser service Enabled
Samba (SMB) service

l During FortiClient deployment, endpoints may connect to the FortiClient EMS server using the SMB service.

Enabled 445
Distributed Computing Environment / Remote Procedure Calls (DCE- RPC)

l The FortiClient EMS server connects to the endpoints using RPC for FortiClient deployment.

Enabled 135
Active Directory server connection When used as

a default connection

Windows HTTP TCP 80
  • Remotely deploying FortiClient software to Windows PCs.
  • Updating profiles for endpoint users regardless of access location, such as administering antivirus, web filtering, VPN, and signature updates.
  • Administering FortiClient endpoint registrations, such as accepting, deregistering, and blocking registrations. l Managing endpoints, such as status, system, and signature information. l Identifying outdated versions of FortiClient software.

Required services

You must ensure that required ports and services are enabled for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with clients and servers running associated applications.

FortiClient EMS – Enterprise Management Server

Communication Service Protocol Port
Internet Information Services (IIS) HTTPS TCP 443, 10443
SQL server

For more infomation about FortiClient EMS, including other requirements, installation, and management, see the FortiClient EMS Administration Guide.

FortiClient WAN optimization over IPsec VPN configuration example

FortiClient WAN optimization over IPsec VPN configuration example

This example shows how to add WAN optimization to a FortiClient IPsec VPN. The IPsec VPN tunnel allows remote FortiClient users to connect to the internal network behind the FortiGate unit.


Example FortiClient WAN optimization configuration

To configure the FortiGate unit

Because computers running FortiClient can have IP addresses that change often, it is usually not practical to add FortiClient peers to the FortiGate WAN optimization peer list. Instead, a FortiGate unit that accepts WAN optimization tunnel requests from FortiClient is usually configured to accept any peer. This example does this by adding a WAN optimization authentication group with Peer acceptance set to Accept Any Peer.

In addition this example includes a wanopt to internal policy to allow WAN optimization traffic reach the internal network. Finally passive WAN optimization is added to the ssl.root policy because WAN optimization is accepting traffic from the IPsec VPN tunnel.

1. Go to WAN Opt. & Cache > Authentication Groups and select Create New.

2. Configure the WAN optimization authentication group:


Name                                           auth-fc

Authentication Method            Certificate

Certificate                                   Fortinet_Firmware

Peer Acceptance                       Accept Any Peer

3. Select OK.

4. Go to WAN Opt. & Cache > Profiles and select Create New (select the + button).

5. Add a profile for FortiClient WAN optimization sessions:

Name                                           Fclient_Pro

Transparent Mode                    Select

Authentication Group              auth-fc


Category                                     Address

Address Name                           Internal-Server-Net

Type                                            IP Range

Subnet / IP Range           

Interface                                     internal

9. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections.

configure firewall explicit-proxy-policy edit 0

set proxy wanopt

set dstintf internal set srcaddr all

set dstaddr all set action accept set schedule always set service ALL

next end


To set up IPsec VPN to support WAN optimization

1. Go to VPN > IPsec Wizard, enter a Name for the IPsec VPN and select Dialup – FortiClient (Windows, Mac OS, Android).

2. Follow the wizard steps to configure the VPN. No special WAN optimization settings are required.

3. Go to Policy & Objects > IPv4 Policy and edit the policy created by the wizard.


This policy has the IPsec VPN interface created by the wizard as the source interface.

4. Turn on WAN Optimization and configure the following settings:


Enable WAN Optimization       passive

Passive Option                          default

5. Select OK.


To configure FortiClient and start the WAN optimization SSL VPN connection

1. Open FortiClient, configure Advanced settings, and select Enable WAN optimization.

2. Add a new IPsec VPN connection.


Set the Server to the WAN1 IP address of the FortiGate unit ( in this example).

No other settings are required for this example. You can add authentication in the form of a user name and password if required by the FortiGate unit.

3. Start the IPsec VPN tunnel.


You should be connected to the IPsec VPN tunnel and traffic in it should be optimized.

FortiClient WAN optimization

FortiClient WAN optimization

FortiClient WAN optimization supports protocol optimization and byte caching in IPsec VPN and SSL VPN tunnels between FortiClient and a FortiGate unit. To add WAN optimization to FortiClient, configure FortiClient Advanced settings and enable WAN optimization. This setting can then apply WAN optimization to any IPsec or SSL VPN tunnel between FortiClient and FortiGate, if the FortiGate IPsec or SSL VPN configuration also includes WAN optimization.

When FortiClient with WAN optimization enabled attempts to connect a server-side FortiGate unit, FortiClient automatically detects if WAN optimization has been added to the FortiGate tunnel configuration. If WAN optimization is detected and FortiClient can successfully negotiate with the FortiGate unit, WAN optimization starts.


FortiClient WAN optimization topology

FortiClient WAN optimization

FortiClient WAN optimization

PCs running the FortiClient application are client-side peers that initiate WAN optimization tunnels with server- side peer FortiGate units. However, you can have an ever-changing number of FortiClient peers with IP addresses that also change regularly. To avoid maintaining a list of such peers, you can instead configure WAN optimization to accept any peer and use authentication to identify FortiClient peers.

Together, the WAN optimization peers apply the WAN optimization features to optimize the traffic flow over the WAN between the clients and servers. WAN optimization reduces bandwidth requirements, increases throughput, reduces latency, offloads SSL encryption/decryption and improves privacy for traffic on the WAN.

For more details, see FortiClient WAN optimization on page 2904.

Linux FortiClient Download

Just a heads up, a lot of people only deal with one specific operating system in their environments (Fortinet dumps a lot of their investment into the development of Windows applications because of the market share). Just in case you haven’t found it, Fortinet provides downloads to the Mac OS and Linux OS FortiClient applications in the firmware download locations of their support site. (VPN folder within the selected firmware folder).

Hopefully, this helps some of you out if you are in need!

FortiClient Issues With Mac OS Sierra

A client of mine stumbled across this issue and after some digging it appears to be fairly common. In my experience, FortiClient tends to have more issues with Mac OS in general. For this particular problem though I have had success by rolling back the FortiClient. Downloading the latest from FortiClient tends to be the spot where most people run into issue. Not sure what it is about the older versions that work versus the new one but it is an obvious bug.

If you are sitting around waiting for it to be resolved I wouldn’t get your hopes up. Fortinet tends to be a little slower resolving MAC related issues with the FortiClient software when compared to Windows etc…..guess we can chalk that up to market share.

Anyways, roll back your client to an earlier version and see if that resolves the issue for you. I would give you a specific version to roll to but it seems to vary from environment to environment.

Thing To Remember: Sierra is brand new, so the issues, obviously, may not be on the FortiClient side (at least not completely).