Part 2 - EMS Installation and FortiClient Deployment

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Welcome back to the second part of the FortiClient and Enterprise Management Server installation video series. In this episode I'm going to deploy and configure the Fortinet Enterprise Management Server... ...and we are going to use that server for pushing for the client installation image to the endpoints. so the first step is just to download the installation binary ...and then to launch it on our server. You can install the Enterprise Management Server on any domain joined Windows host it doesn't have to be on the Active Directory server or on the domain controller it just needs to have access to the active directory. And after the installation finished... ...we can launch the application. When we login for the first time with the admin user the application will force you to change the password from the default empty. this is a EMS Enterprise Server 7.0.1 So the next step is the licensing... ...and we can just close this warning pop-up message and go to Activate License to Enable Feature section and we're going to use a Hardware ID to register it with our license. In order to register license we need to log into the Fortinet support portal and then to use the license key we received one from Fortinet to register it And once the registration is done the system is going to ask you to add the Hardware ID Let's just give it a name let's give it a name of our new license file. I usually just call it with the hostname that I'm going to use for deployments. Copy the Hardware ID and paste it in this section and it's going to generate a license file That will have embedded that Hardware ID so that license file can only be used on the machine where we deployed the Enterprise Management Server with that Hardware ID and that Hardware ID gets generated on So after we downloaded license file let's just go back and upload it as a file. Notice that it's going to change the serial number on the screen. It doesn't really matter... much it's just something that you can take note on. Next step is to configure the EMS server. Let's just go to EMS Settings and enable a fully qualified domain name. As long as EMS server can resolve the fully qualified domain name then we should be able to use it later when we deploy the clients. In the specific case we can so we can type this FQDN. EMS is going to send you a warning that it has to restart the built-in web server for the change to take effect so just accept that warning dialog and once it's updated the server we can change the FortiClient download URL to the fully qualified domain name and save the change. Next is to go to FortiGuard Services and if there is a closer server nearby to your location change it from the default global and also to change the time zone to your correct one. So right now we pretty much finished the configuration of the EMS server with the default details. The next step is to start to create profiles for our for the client deployments. I'm going to create two profiles one of them when the client is on the enterprise network join the domain and to have a specific profile enabled. In that case we won't need VPN so I'm just going to disable that section and then save the changes. And the next profile's going to be enabled when the client is off-net. So for the off-net profile I'm enabling the malware protection and the VPN. When the client is off net and logs into the desktop they should have this dialog enabled on the FortiClient so they can initiate an sslvpn tunnel back to the enterprise through the corporate firewall. So i'm just creating this sslvpn configuration. Now specifying the gateway IP address which is the public IP or FQDN of our firewall and I'm changing the port to 10443 And that's pretty much covers the SSLVPN configuration. And let's just save the changes. So next step is to tell the EMS when the specific profile should be deployed and how to detect that if the client is on-net or off-net. It's quite simple we create an on-fabric detection rule I just call it onnet_subnet and I'm specifying a prefix that covers the enterprise internal network range. In that case it's just a /24 IP address range and that will be deployed with the FortiClient to the endpoints. As long as the endpoint is part of that subnet then the FortiClient will enable the on-net profile. If the client is not part of that subnets then it will enable the off-net profile. Our next step is to join the EMS server to the domain so it should be able to collect all the objects on the domain. I'm just specifying the details in this case I'm using the Administrator and save the change. If all the details are correct EMS will start to synchronize the objects from the active directory. So it will detect two computer devices and 221 users on the domain so we can expand on the LDAP tree and as you can see there is one computer and a server available for FortiClient deployment but we only deployed the for the client on the Windows 10 computer only. Let's just create a new endpoint policy I'm calling it Fortilab_policy I'm specifying the on-net profile and the off-net one when the client is off-fabric (off-net) or not on the enterprise network and the detection rule that would tell FortiClient what to use to find out when the client is running on the network or or actually off-net. And I'm polling the computer object group for any computer where FortiClient can be deployed on. I'm saving the change and the next step is to create a FortiClient installer. So I'm specifying what version I'm interested in to deploy on the endpoints. It's 7.0.1. I give it a name and i just leave everything on the default so the FortiClient will be deployed with all these features enabled or available as long as the profile enables those options on the endpoints. And then click on Finish and as you can see on the download link that's the fully qualified domain name we are going to use and that's what we changed in one of the previous steps. And if you expand that URL EMS server tells you that what will be deployed. And if you go to that URL then here you can find the deployment binaries. Under the msi is that the bundle that will be deployed on the endpoints. So next step is to create a deployment point. I give it a name and I'm selecting the Computers object group and the client should be installed. And I'm using that FortiClient installer that I just created. It should be deployed without any user interaction and I'm using a domain admin to push that client out to the endpoints. And that's it. So let's just log into the Windows 10 desktop with Aaron Con and monitor the FortiClient deployment. If you go back to the EMS and expand on all the endpoints we can see those two computer objects available. We are deploying the FortiClient on Client01 and as you can see the deployment has been started, so let's just expand and as you can see the progress is already at 60%. So let's go back to the client and we should see the FortiClient is icon popping up on the desktop just right now. It's all automated, there is no any requirement from the client or from the admin to initiate the deployment. So the deployment is finished and now we have configured FortiClient running on the Windows 10 desktop. Let's just start the client and as you can see at the bottom right the client already received the configuration from the EMS server. The configuration is the profile that we created in one of the previous steps. Because the client is running within the enterprise FortiClient could detect that the client is on-net so it enables the specific relevant profile. One without the SSL VPN configuration. We can go to the user details and as you can see the FortiClient detected that the endpoint is on-fabric or within the enterprise network. We can fill in some details on FortiClient to identify the user and check the notification part that will tell the user when the client received the new profile and signature updates. And the FortiClient already updated EMS server with the client details. So if we expand then we should be able to see that it is popping up just right now with the information about the user access, user availability and details. And with some more information about the endpoint. Thank you for watching and I'll see you in the next part three. If you have any suggestion to make Closed Captions better on these videos, please feel free to add it to the comment section. I appreciate that I speak with heavy accent that can be hard to follow but also to some listening the presentation is not an option. I would like to make sure everyone can follow the topic without any unnecessarily extra effort. Thank you.

Info

Channel: Mr IT

Views: 314

Rating: undefined out of 5

Keywords: FortiClient, EMS, Fortinet

Id: 1VbUILEmQKE

Channel Id: undefined

Length: 12min 58sec (778 seconds)

Published: Thu Oct 21 2021