Deploying EMS as a VM image

You can deploy EMS as a virtual machine (VM) image on VMware ESXi, KVM, Microsoft Hyper-V, and Oracle VirtualBox hypervisors. EMS provides Ubuntu-based VM images for x86_64 and ARM architectures. However, regular OS maintenance is still required.

The VM image includes some OS hardening modifications as follows:

• Unneeded users are removed:
  • games
  • man
  • news
  • uucp
  • proxy
  • backup
  • list
  • irc
  • gnats
  • uuidd
  • mail
  • lp
  • nobody
  • tss
  • landscape
  • fwupd-efresh
  • usbmux
  • lxd
• The forticlientems user, which runs EMS processes, has no login.
• Only the ems user has SSH access.
• Firewall is enabled and only the following ports are enabled by default (see Required services and ports for a full list of required ports):

  TCP port	Usage
  22	SSH access to EMS VM or server
  4001	Send zero trust network access certificates to mobile device management endpoints
  8013	Telemetry
  8015	Send updates to FortiOS
  8443	Provision profiles to Chromebooks
  8871	Connection to remote Active Directory connector
  80 443 10443 9443	EMS GUI and APIs

• On first login, EMS requires changing the password for the ems user.

This topic contains instructions for deploying EMS as a VM as follows:

• VMware ESXi
• KVM
• Proxmox
• Hyper-V
• VirtualBox
• Configuring the IP address
• Configuring the search domain
• Upgrading OS packages
• Recovering FortiClient EMS VM password
• Adding and expanding disks on EMS VMs

For instructions about upgrading your EMS VM to 7.4.7, see Upgrading from an earlier FortiClient EMS version. For instructions about HA deployment for your EMS VMs, see Setting up HA for EMS VM appliances.

VMware ESXi

To deploy EMS on VMware ESXi:

1. Click Create/Register VM.

2. Select Deploy a virtual machine from an OVF or OVA file. Click Next.

   

3. Enter the VM name and upload the OVA file. Click Next.

   

4. Configure the VM.

5. Click Finish.

6. Review the configuration and start the VM. When the VM boot completes, the OS logon page displays.

7. Log in to the VM. The default credentials are:

   • Username: ems

   • Password: ems

   EMS requires you to change these credentials upon first login.

8. Change the default password when prompted.

9. Access the EMS GUI using the VM IP address or FQDN. See Starting FortiClient EMS and logging in.

KVM

To deploy EMS on KVM:

1. Set up QEMU or KVM on a Linux host.

2. Copy the forticlientems_vm qcow2 image under /var/lib/libvirt/images/.

3. Run the following command to initialize the virtual machine with the FortiClient EMS image:

   sudo virt-install --name EMS_VM --memory 4096 --vcpus 2 --disk path=/var/lib/libvirt/images/forticlientems_vm.7.4.7.2194.M.qcow2,format=qcow2 --import --os-variant generic --network bridge=virbr0 --graphics none Copy

   You can change the configuration in the command as needed.

   

4. Log in to the VM.

   The default credentials are: Username: ems Password: ems

   

5. Access the EMS GUI using the VM IP address or FQDN. See Starting FortiClient EMS and logging in.

Proxmox

To deploy EMS on Proxmox:

1. Download the EMS KVM image files and copy them to Proxmox:
   1. Log in to the Fortinet Support Portal and select Support > Firmware Download from the top menu.
   2. From the Select Product dropdown list, select FortiClientEMS.
   3. On the Download tab, go to v.700 > 7.4 > 7.4.7.
   4. Download the qcow2.zip file and extract it.
   5. Copy forticlientems_vm.7.4.7.2194.M.qcow2 onto a Proxmox node. Typically, you can use the secure copy protocol (SCP). The following shows an example of using scp forticlientems_vm.7.4.7.2194.M.qcow2 root@proxmox.test.local:/root/ forticlientems_vm.7.4.7.2194.M.qcow2 to copy the forticlientems_vm.7.4.7.2194.M.qcow2 file to the Proxmox node at proxmox.test.local. Edit the node address, which may be an IP address or FQDN, to match your Proxmox environment. The example also assumes that you are running the command as the root user and copying the file to the root user home directory at /root:

      C:\Users\adm\Downloads\forticlientems_vm.7.4.7.2194.M.qcow2>scp forticlientems_vm.7.4.7.2194.M.qcow2 root@proxmox.test.local:/root/forticlientems_vm.7.4.7.2194.M.qcow2
      root@192.168.1.2's password:
      forticlientems_vm.7.4.7.2194.M.qcow2                                                     11% 1134MB  89.8MB/s   01:35 ETA
       Copy

      You can get a qcow2 image onto a Proxmox node in various ways. The example uses SCP on the command line. You can use a GUI SCP client, such as WinSCP on Windows or ForkLift on macOS. If you have file transfer protocol set up on your Proxmox node, you can use that as well. Use the method that you are comfortable with.

2. Deploy the EMS VM into Proxmox:
   1. In the Proxmox GUI, select the node you copied the EMS image to and click Create VM.

      

   2. In the Create: Virtual Machine dialog, change the VM ID value if desired. Note this ID value as you use it later. In the Name field, give the VM a useful name. Click Next.

      You may find it useful to add the EMS version number to the end of your VM name.

   3. In the OS tab, select Do not use any media. Leave Type and Version at their defaults of Linux and 6.x - 2.6 Kernel, respectively. Click Next.
   4. In the System tab, leave the default values and click Next.
   5. In the Disks tab, by default, you see an entry for one SCSI disk named scsi0. Click the trashcan icon to delete this disk. You see No Disks displayed. Click Next.
   6. Set the CPU and RAM tab values per the minimum EMS system requirements. See Management capacity.
   7. In the Network tab, deselect Firewall and leave the rest of the options at their defaults. Click Next.
   8. In the Confirm tab, ensure Start after created is not selected. Note the vmid value as you use it later. Click Finish to build the VM.

      

3. Import the qcow2 image into the EMS VM:
   1. After some seconds, you see the new VM in the left sidebar with the configured VM ID and name. Select the newly created VM and click Hardware in the middle pane. Note the presence of one network interface named net0 and the lack of disks.
   2. Select the Proxmox node in the left sidebar and click Shell entry in the middle pane. After the shell appears, type pwd to ensure you are in the /root folder and then type ls to display the directory contents. You see the forticlientems.qcow2 image file copied over earlier.
   3. To import the forticlientems_vm.7.4.7.2194.M.qcow2 image into your newly created VM, use the qm disk import command: qm disk import <vmid> forticlientems_vm.7.4.7.2194.M.qcow2 <storage device name>. You must adjust the command to match your configured VM ID and the storage device name of choice. By default, Proxmox creates a local and local-lvm storage device when it is installed. The example uses a VM ID of 101 and the local-lvm storage device. Note the disk name when the command finishes. In the example, the disk name is local-lvm:vm-101-disk-0'. See the following example:

      root@pve:~# qm disk import 101 forticlientems_vm.7.4.3.1926.qcow2 local-lvm
      importing disk 'forticlientems_vm.7.4.3.1926.qcow2' to VM 101 ...
        Logical volume "vm-101-disk-0" created.
      transferred 0.0 B of 80.0 GiB (0.00%)
      transferred 827.4 MiB of 80.0 GiB (1.01%)
      […]
      transferred 80.0 GiB of 80.0 GiB (100.00%)
      unused0: successfully imported disk 'local-lvm:vm-101-disk-0'
       Copy

   4. Select the EMS VM in the left sidebar and click Hardware in the middle pane. Note the newly imported disk. At this point, it shows as Unused Disk 0.

      

4. Add a boot disk to the EMS VM:
   1. Select Unused Disk 0 and click Edit.
   2. The Add: Unused Disk dialog appears. Accept the defaults and click Add. Note the newly added Hard Disk (scsi0) is now mapped to the local-lvm:vm-107-disk-0 created earlier.

      

5. Verify the boot order:
   1. To verify the boot order, select the EMS VM in the left sidebar and click Options in the middle pane. Select Boot Order and click Edit. Alternately, you can double-click Boot Order.
   2. The Edit: Boot Order dialog appears. Use the selector icons to drag and drop scsi0 to the top of the list and ensure Enabled for that entry is selected.

      

6. Select the EMS VM in the left sidebar and select Console in the middle pane. Click Start at the top or Start Now in the middle of the console.
7. The EMS VM starts to boot. After the reboot, the standard EMS login prompt displays. Log in with a username of ems and password ems. You are prompted to change the password and presented with the EMS shell prompt.

   

Hyper-V

To deploy EMS on Hyper-V:

1. Open the new VM wizard and define a name for the VM. Click Next.
2. In Specify Generation, select Generation 1. Click Next.

   

3. In Assign Memory, configure the required and memory settings.
4. In Connect Virtual Hard Disk, select Use an existing virtual hard disk. In Location, browse to and select the forticlientems_vm.7.4.7.2194.M.vhdx file. Click Finish. If desired, you can edit the configuration after the VM is created, such as modifying the number of virtual processors.

   

5. Start the VM.
6. After bootup, log in using the default credentials:
   • Username: ems
   • Password: ems

VirtualBox

To deploy EMS on VirtualBox:

1. Open the new VM wizard and define a name for the VM. Click Next.
2. In Hardware, configure the required hardware settings.
3. In Hard Disk, select Use an Existing Virtual Hard Disk File. Browse to and select the forticlientems_vm.7.4.7.2194.M.vmdk file. Click Finish. If desired, you can edit the configuration after the VM is created, such as modifying the number of virtual processors.

   

4. Start the VM.
5. After bootup, log in using the default credentials:
   • Username: ems
   • Password: ems

   

Configuring the IP address

To configure the IP address after deploying EMS as a VM:

system set network ip --adapter=<adapter name> --ip=<IP/subnet> --gateway=<gateway IP> --dns=<dns address> Copy

For example:

system set network ip --adapter=ens160 --ip=10.0.0.5/24 --gateway=10.0.0.1 --dns=8.8.8.8	 Copy

See system set network ip for more information.

To verify the IP configuration:

system get info Copy

Configuring the search domain

You can configure the search domain to allow access to local DNS records for the EMS server. To do so:

system set network domain Copy

See system set network domain for more information.

Upgrading OS packages

You may want to upgrade the underlying operating system packages (such as OS libraries, security patches, and system dependencies) used by EMS VM in the following scenarios:

• Vulnerability scanners or internal security assessments identify OS-level CVEs on the EMS host.
• Fortinet Technical Support advises updating OS packages to resolve a known issue or vulnerability.

• OS package upgrade is require as part of regular system maintenance or patch management cycles where changes are validated and controlled.

OS package upgrades are not expected to affect EMS functionality. However, because EMS relies on underlying OS components, Fortinet cannot guarantee compatibility with all future upstream package changes that are outside EMS release validation. EMS upgrades provided by Fortinet include validated dependencies. However, not all OS-level security patches are bundled with EMS releases.

To upgrade OS packages on the EMS VM, use the emscli execute upgrade package command:

• To upgrade a specific package, use the --package option followed by the package name. For example:

  emscli execute upgrade package --package pkgname Copy

• To upgrade all underlying operating system packages used by EMS (that are pending upgrade) on your EMS VM:

  1. Perform a full backup of your EMS (both configuration and database).

  2. Schedule a maintenance window to avoid service disruption.

  3. Verify sufficient disk space is available.

  4. Run the following command:

     emscli execute upgrade package --all Copy

  5. After the OS upgrade, validate all EMS services, such as GUI access, endpoint connectivity, services, etc.

Recovering FortiClient EMS VM password

FortiClient EMS VM users can recover the EMS VMs if they forget the password for the "ems" user. See Appendix C - FortiClient EMS VM password recovery for detailed instructions about EMS VM password recovery on different platforms.

Adding and expanding disks on EMS VMs

By default, EMS VMs includes the minimum disk size required for EMS startup. You can provision more disk space during or after the EMS VM deployment process using the management tools of the virtualization platform by following the virtualization platform-specific documentation.

Once a new disk is added to your VM, you can then prepare the disk to be used by the EMS VM using the emscli lvm commands.

• execute lvm add-disk - adds a physical disk to the logical volume

• execute lvm expand-disk - expands the physical disk partition

• execute lvm expand-volume - expands the disk logical volume size

• execute lvm info - shows info from the disks and logical volume

Example:

The following shows an example of the full workflow of adding physical disk to the EMS VM:

1. Check the current status of the system (using the system get info command):

   system get info Copy

   Example output:

   ems@fcems-server $> system get info
   EMS Version: 7.4.5.2085 Interim
   FIPS Enabled: no
   OS Version: Ubuntu 24.04.3 LTS
   Hostname: fcems-server
   Linux Kernel: 6.8.0-87-generic
   RAM: 18GiB (15.67% used)
   CPU: 8 Cores
   Disk(s):
    \-> /run (tmpfs) 191M (1% used)
    \-> / (/dev/mapper/ubuntu--vg-ubuntu--lv) 77G (19% used)
    \-> /dev/shm (tmpfs) 951M (1% used)
    \-> /run/lock (tmpfs) 5.0M (0% used)
    \-> /boot (/dev/sda2) 2.0G (6% used)
    \-> /run/user/1000 (tmpfs) 191M (1% used)
   IP(s):
    \-> lo: 127.0.0.1/8
    \-> eth0: 172.21.161.250/20
   Air-gapped: no Copy

   The example shows a disk "/dev/mapper/ubuntu--vg-ubuntu--lv" with 77 GB of capacity where 19% is in use. This is the main part of the volume of the VM and is used by the EMS application. It also shows some other disks and volumes with size and usage information, such as the boot disk : "/boot (/dev/sda2) 2.0G (6% used)".

2. Check the current status of disks and logical volumes in the EMS VM (using the execute lvm info command):

   execute lvm info Copy

   Example output:

   ems@fcems-server $> execute lvm info
   Disk: sda,
    \->Total Size=78.0G,
    \->Partitioned=78.0G
   Volume:
    \->Allocated=78.0G,
    \->Free=0.0G Copy

   The example shows that the main disk is identified as "sda" with a total physical size of 78 GB. The physical disk is completely partitioned and fully allocated to the EMS application volume with no expansion possibility (Free=0.0G).

3. Add 10 GB physical disk to the VM using the virtualization platform management tools by following the platform-specific documentation.

4. Check the current status of disks and logical volumes in the EMS VM again:

   execute lvm info Copy

   Example output:

   ems@fcems-server $> execute lvm info
   Disk: sda,
    \->Total Size=10.0G,
    \->Partitioned=0.0G-Disk should be added to logical volume.
   Disk: sdb,
    \->Total Size=78.0G,
    \->Partitioned=78.0G
   Volume:
    \->Allocated=78.0G,
    \->Free=0.0G			 Copy

   Note that the disk previously identified as "sda" is renamed "sdb" while the new disk is identified as "sda" with a total size of 10 GB that is not partitioned to the VM logical volume yet.

5. Add the "sda" physical size (10 GB) to the logical volume using the command execute lvm add-disk:

   execute lvm add-disk --disk.name sda Copy

6. Verify that the volume has grown from 78 GB to 88 GB:

   ems@fcems-server $> execute lvm info
   Disk: sda,
    \->Total Size=10.0G,
    \->Partitioned=10.0G
   Disk: sdb,
    \->Total Size=78.0G,
    \->Partitioned=78.0G
   Volume:
    \->Allocated=88.0G,
    \->Free=0.0G Copy

7. Check the current status of the system again and verify that more disk space is available to be used by the EMS application:

   ems@fcems-server $> system get info
   EMS Version: 7.4.5.2085 Interim
   FIPS Enabled: no
   OS Version: Ubuntu 24.04.3 LTS
   Hostname: fcems-server
   Linux Kernel: 6.8.0-87-generic
   RAM: 19GiB (11.61% used)
   CPU: 8 Cores
   Disk(s):
    \-> /run (tmpfs) 191M (1% used)
    \-> / (/dev/mapper/ubuntu--vg-ubuntu--lv) 87G (15% used)
    \-> /dev/shm (tmpfs) 951M (1% used)
    \-> /run/lock (tmpfs) 5.0M (0% used)
    \-> /boot (/dev/sda2) 2.0G (6% used)
    \-> /run/user/1000 (tmpfs) 191M (1% used)
   IP(s):
    \-> lo: 127.0.0.1/8
    \-> eth0: 172.21.161.250/20
   Air-gapped: no Copy

8. Expand the size of the newly-added disk "sda" from 10 GB to 30 GB using the virtualization platform management tools by following the platform-specific documentation.

9. Check the current status of disks and logical volumes in the EMS VM again:

   execute lvm info Copy

   Example output:

   ems@fcems-server $> execute lvm info
   Disk: sda,
    \->Total Size=78.0G,
    \->Partitioned=78.0G
   Disk: sdb,
    \->Total Size=30.0G,
    \->Partitioned=10.0G-Disk can be expanded.
   Volume:
    \->Allocated=88.0G,
    \->Free=0.0G			 Copy

   Verify that 20 GB has been added on top of the 10 GB disk already in use and the total capacity of the physical disk "sdb" is now 30 GB.

10. Expand the disk to partition the disk size not yet in use (using the execute lvm expand-disk command):

    execute lvm expand-disk --disk.name sdb Copy

11. Verify that all space on physical disk "sdb" has been partitioned (30.0 GB):

    ems@fcems-server $> execute lvm info
    Disk: sda,
     \->Total Size=30.0G,
     \->Partitioned=30.0G
    Disk: sdb,
     \->Total Size=78.0G,
     \->Partitioned=78.0G
    Volume:
     \->Allocated=88.0G,
     \->Free=20.0G-Volume can be expanded. Copy

    Note that the expanded 20 GB is not yet allocated in the EMS VM and not ready to be used by the EMS application.

12. Allocate the newly-partitioned volume (20 GB) to the EMS VM (so that it can be used by the EMS application) using the execute lvm expand-volume command. You can allocate the size partially or fully by expanding the logical volume size of the disk by a specific size or by using all available free space in the volume group.

    Try expanding the volume by 5 GB (of the 20 GB free space):

    execute lvm expand-volume --grow.gb 5.0 Copy

13. Verify that the volume available to be used by the EMS application has grown from 88 GB to 93 GB and 15.0 GB volume is still available to be allocated:

    ems@fcems-server $> system get info
    EMS Version: 7.4.5.2085 Interim
    FIPS Enabled: no
    OS Version: Ubuntu 24.04.3 LTS
    Hostname: fcems-server
    Linux Kernel: 6.8.0-87-generic
    RAM: 20GiB (12.74% used)
    CPU: 8 Cores
    Disk(s):
     \-> /run (tmpfs) 191M (1% used)
     \-> / (/dev/mapper/ubuntu--vg-ubuntu--lv) 92G (14% used)
     \-> /dev/shm (tmpfs) 951M (1% used)
     \-> /run/lock (tmpfs) 5.0M (0% used)
     \-> /boot (/dev/sda2) 2.0G (6% used)
     \-> /run/user/1000 (tmpfs) 191M (1% used)
    IP(s):
     \-> lo: 127.0.0.1/8
     \-> eth0: 172.21.161.250/20
    Air-gapped: no Copy

    ems@fcems-server $> execute lvm info
    Disk: sda,
     \->Total Size=78.0G,
     \->Partitioned=78.0G
    Disk: sdb,
     \->Total Size=30.0G,
     \->Partitioned=30.0G
    Volume:
     \->Allocated=93.0G,\->Free=15.0G-Volume can be expanded. Copy

14. Try expanding the logical volume using all available free space (15 GB) in the volume group:

    ems@fcems-server $> execute lvm expand-volume --grow.free Copy

15. Verify that the volume available to be used by the EMS application has grown from 93 GB to 108 GB with no volume available to be allocated:

    ems@fcems-server $> system get info
    EMS Version: 7.4.5.2085 Interim
    FIPS Enabled: no
    OS Version: Ubuntu 24.04.3 LTS
    Hostname: fcems-server
    Linux Kernel: 6.8.0-87-generic
    RAM: 20GiB (12.81% used)
    CPU: 8 Cores
    Disk(s):
     \-> /run (tmpfs) 191M (1% used)
     \-> / (/dev/mapper/ubuntu--vg-ubuntu--lv) 106G (13% used)
     \-> /dev/shm (tmpfs) 951M (1% used)
     \-> /run/lock (tmpfs) 5.0M (0% used)
     \-> /boot (/dev/sda2) 2.0G (6% used)
     \-> /run/user/1000 (tmpfs) 191M (1% used)
    IP(s):
     \-> lo: 127.0.0.1/8
     \-> eth0: 172.21.161.250/20
    Air-gapped: no Copy

    ems@fcems-server $> execute lvm info
    Disk: sda,
     \->Total Size=78.0G,
     \->Partitioned=78.0G
    Disk: sdb,
     \->Total Size=30.0G,
     \->Partitioned=30.0G
    Volume:
     \->Allocated=108.0G,\->Free=0.0G Copy