config user app-group

Use this command to configure App Groups and their associated App Bookmarks for the Agentless Application Gateway (AAG) feature.

An App Group is a logical container that organizes App Bookmarks—each representing a backend application or service such as an RDP host, SSH server, VNC desktop, or internal web application. App Groups are linked to App Portals, which define the user-facing web interface for application access.

Each App Group can contain multiple bookmarks of different types. The required parameters for each bookmark vary depending on its protocol (e.g., RDP, SSH, or Web), and must be configured to ensure proper connectivity and user experience. When a user authenticates through an App Portal, they are presented only with the applications associated with the App Groups assigned to that portal.

Each VDOM supports up to 1024 App Groups, and each App Group can contain up to 256 App Bookmarks. A single App Portal can be associated with a maximum of 32 App Groups.

Once configured, an App Group can be assigned to an App Portal to make the applications accessible through the AAG App Portal interface.

For more information, see the Administration Guide on the Agentless Application Gateway (AAG).

App Bookmark Types

Each App Bookmark Type requires specific parameters to be configured. The following table lists the supported Types and their usage. Use the links under the Application Type column to navigate to the configuration parameters applicable to each App Bookmark Type.

Application Type	Usage
Web RDP	Provides web-based remote desktop access via an HTML5 client, eliminating the need for an RDP client on the user’s device.
Native RDP	Establishes a direct connection to an RDP server, requiring an installed RDP client on the user’s device.
RemoteApp	Enables access to specific Windows applications over RDP without exposing the full desktop session.
Web VNC	Grants browser-based access to remote desktops running Virtual Network Computing (VNC).
Web SSH	Allows command-line access to remote Linux or Unix servers via a secure, browser-based SSH session.
Web TELNET	Provides browser-based access to Telnet-enabled devices for legacy terminal access.
Web APP – Internal	Connects to internal HTTP/HTTPS applications published through a FortiADC virtual server with Web App Proxy enabled. Users access these applications through the AAG App Portal using their portal login credentials. Direct access through the virtual server URL is also supported, with the same authentication enforcement.

For application types that require login credentials—such as RDP, VNC, and SSH—you must specify a username and password within the App Group configuration. When cloning an App Group, all passwords are automatically cleared and must be re-entered manually to maintain secure handling.

After the bookmark is saved, administrators can optionally assign a custom icon to customize how it appears in the App Portal.

config user app-group
    edit <name>
        config bookmark
            edit <bookmark_name>
                ...
                set icon-customize {default|custom}
                set icon-file <filename>
            next
        end
    next
end

The icon-customize option becomes available when editing a saved bookmark, with the following options:

• default – Uses the standard system icon.

• custom – Allows upload of a custom image file.

Custom icons must meet the following requirements:

• File format: .ico, .jpeg, .png, or .svg

• Shape: Square (for example, 32×32 or 256×256 pixels)

• Minimum resolution: 32×32 pixels

• Maximum file size: 1 MB

Web RDP

Web RDP (Remote Desktop Protocol) provides web-based access to a remote Windows desktop session without requiring an RDP client. It allows users to connect to Windows systems securely through their browser, making it ideal for remote administration, virtual desktop access, and troubleshooting.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype web-rdp
        set host <string>
        set port <integer>
        set description <string>
        set sso {disable|auto}
        set logon-user <string>
        set logon-password <string>
        set sso-credential portal-login
        set color-depth {8|16|32}
        set width <integer>
        set height <integer>
        set security {any|nla|rdp|tls}
        set clipboard {enable|disable}
      next
    end
  next
end

host	The IP address or hostname of the target Windows machine.
port	The port used for the RDP connection (default: 3389, range: 1-65535).
description	Optional description for the Web RDP bookmark.
sso	Determines whether Single Sign-On is used. Select from the following options: disable (default) — manual login required. You will need to set the Username and Password for this login. auto — uses portal credentials.
logon-user	The username for authentication when sso is disabled.
logon-password	The password for authentication when sso is disabled.
sso-credential	Appears when sso is set to auto. The SSO Credential is set to use the portal-login (App Portal Login) by default.
color-depth	Sets the color depth for the remote session. Select from the following: 8 — 8 bits per pixel 16 — 16 bits per pixel. This is the default setting. 32 — 32 bits per pixel.
width	Specifies the width of the remote session display (default: 1024, range: 200-8192).
height	Specifies the height of the remote session display (default: 768, range: 200-8192).
security	Defines the security protocol for the RDP session. Select from the following: any – Allows the RDP server to determine the security protocol. FortiADC will negotiate based on the server's supported options. This is the default setting. nla – Enforces Network Level Authentication. Requires the user to authenticate before the remote session is fully established. rdp – Uses standard RDP security, which relies on legacy RDP encryption. This mode is less secure and typically used for compatibility with older systems. tls – Secures the RDP session using Transport Layer Security (TLS), providing encrypted communication and enhanced security.
clipboard	Enables or disables clipboard sharing between the remote session and the local machine.

Native RDP

Native RDP allows users to launch a full remote desktop session using an installed RDP client. Unlike Web RDP, which runs in a browser, Native RDP opens the session in the system's RDP client, providing a more responsive experience and leveraging full client-side capabilities, including peripheral redirection, multiple monitor support, and enhanced performance.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype native-rdp
        set host <string>
        set port <integer>
        set description <string>
        set clipboard-redirect {enable|disable}
        set drives-redirect {enable|disable}
        set printers-redirect {enable|disable}
        set microphone-redirect {enable|disable}
        set camera-redirect {enable|disable}
        set multiple-monitor {enable|disable}
        set keyboard-hook {on-local|on-remote-app-focus|on-remote-desktop-focus|on-remote-desktop-full-screen}
        set custom-parameters <string>
      next
    end
  next
end

host	The IP address or hostname of the target Windows machine.
port	The port used for the RDP connection (default: 3389, range: 1-65535).
description	Optional description for the Native RDP bookmark.
clipboard-redirect	Enable to allow clipboard sharing between the remote and local machine.
drives-redirect	Enables access to local drives within the remote session.
printers-redirect	Enable to allow remote access to local printers.
microphone-redirect	Enables microphone redirection for remote audio input.
camera-redirect	Enables camera redirection for video conferencing applications.
multiple-monitor	Allows the remote session to span multiple monitors.
keyboard-hook	Defines how keyboard shortcuts (e.g., Alt+Tab) are handled in the session. Select from the following options: on-local – Keyboard shortcuts remain on the local machine. on-remote-app-focus – Shortcuts apply to the remote application window, not the full desktop session. on-remote-desktop-focus – Shortcuts apply to the remote session only when it is the active window. on-remote-desktop-full-screen – Shortcuts apply to the remote session only when in full-screen mode. This is the default option.
custom-parameters	Additional RDP client parameters for advanced configurations.

RemoteApp

RemoteApp provides access to specific applications hosted on a remote Windows server without opening a full remote desktop session. Unlike Web RDP, which grants access to the entire remote desktop environment, RemoteApp launches only the selected application in a separate window, making it appear as if it is running locally on the user's device. This approach enhances security by restricting access to only approved applications and improves the user experience by integrating remote applications seamlessly into the local desktop environment.

When publishing RemoteApp bookmarks: Privacy and security settings, such as camera redirection, must be properly configured on the RDP session host. Redirect-printer support requires that the appropriate printer driver is installed on the RDP server before use.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype remote-app
        set host <string>
        set port <integer>
        set description <string>
        set app-name <string>
        set app-path <string>
        set app-cmdline <string>
        set clipboard-redirect {enable|disable}
        set drives-redirect {enable|disable}
        set printers-redirect {enable|disable}
        set microphone-redirect {enable|disable}
        set camera-redirect {enable|disable}
        set multiple-monitor {enable|disable}
        set keyboard-hook {on-local|on-remote-app-focus|on-remote-desktop-focus|on-remote-desktop-full-screen}
        set custom-parameters <string>
      next
    end
  next
end

Parameter	Description
host	The IP address or hostname of the RemoteApp server.
port	The port used for the RemoteApp connection (default: 3389, range: 1-65535).
description	Optional description for the RemoteApp bookmark.
app-name	The display name of the RemoteApp application.
app-path	The full path to the executable of the RemoteApp.
app-cmdline	Additional command-line arguments for the RemoteApp.
clipboard-redirect	Allows clipboard sharing between the remote and local machine.
drives-redirect	Enables access to local drives within the RemoteApp session.
printers-redirect	Allows remote access to local printers.
microphone-redirect	Enables microphone redirection for remote audio input.
camera-redirect	Enables camera redirection for video conferencing applications.
multiple-monitor	Allows the RemoteApp session to span multiple monitors.
keyboard-hook	Defines how keyboard shortcuts (e.g., Alt+Tab) are handled in the session. Select from the following options: on-local – Keyboard shortcuts remain on the local machine. on-remote-app-focus – Shortcuts apply to the remote application window, not the full desktop session. on-remote-desktop-focus – Shortcuts apply to the remote session only when it is the active window. on-remote-desktop-full-screen – Shortcuts apply to the remote session only when in full-screen mode. This is the default option.
custom-parameters	Additional RDP client parameters for advanced configurations.

Web VNC

Web VNC (Virtual Network Computing) enables web-based remote access to graphical desktops on Linux, macOS, and other VNC-compatible systems. It is commonly used for remote system administration and technical support.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype web-vnc
        set host <string>
        set port <integer>
        set description <string>
        set logon-user <string>
        set logon-password <string>
        set color-depth {8|16|32}
        set width <integer>
        set height <integer>
        set clipboard {enable|disable}
      next
    end
  next
end

host	The IP address or hostname of the VNC server.
port	The port used for the VNC connection (default: 5900, range: 1-65535).
description	Optional description for the Web VNC bookmark.
logon-user	The username for VNC authentication, if required.
logon-password	The password for VNC authentication, if required.
color-depth	Sets the color depth for the VNC session. Select from the following: 8 — 8 bits per pixel 16 — 16 bits per pixel. This is the default setting. 32 — 32 bits per pixel.
width	Specifies the width of the VNC session display. The default value is 1024, with a valid range of 200-8192.
height	Specifies the height of the VNC session display. The default value is 768, with a valid range of 200-8192.
clipboard	Enables or disables clipboard sharing between the remote and local system.

Web SSH

Web SSH (Secure Shell) provides secure, web-based command-line access to remote Linux and Unix systems. It is commonly used for server administration and troubleshooting.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype web-ssh
        set host <string>
        set port <integer>
        set description <string>
        set logon-user <string>
        set logon-password <string>
      next
    end
  next
end

host	The IP address or hostname of the SSH server.
port	The port used for the SSH connection (default: 22, range: 1-65535).
description	Optional description for the Web SSH bookmark.
logon-user	The SSH login username.
logon-password	The SSH login password (if password authentication is used).

Web TELNET

Web Telnet provides browser-based access to network devices and legacy systems that use the Telnet protocol. It is commonly used for managing routers, switches, and older mainframe systems.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype web-telnet
        set host <string>
        set port <integer>
        set description <string>
      next
    end
  next
end

host	The IP address or hostname of the Telnet server.
port	The port used for the Telnet connection (default: 23, range: 1-65535).
description	Optional description for the Web Telnet bookmark.

Web APP – Internal

The Web App – Internal bookmark type integrates internal web applications published through FortiADC into the AAG App Portal, allowing users to reach internal HTTP/HTTPS resources—such as intranet sites, dashboards, or collaboration platforms—securely through a browser. Traffic to these applications is proxied by FortiADC, which authenticates users through the AAG App Portal and applies centralized access policies.

Before you configure this bookmark, ensure that the internal application has already been published on a FortiADC virtual server configured with Web App Proxy (HTTP or HTTPS). The virtual server provides the reverse-proxy function that handles session termination and authentication redirection, while the Web App – Internal bookmark links that published resource to the App Portal.

Users can access the published application in either of the following ways:

• From the App Portal: Authenticated users select the bookmark to launch the internal web application. The session is proxied through the Web App Proxy virtual server using their existing portal credentials.

• Directly through the published URL: Users who access the application URL without an active session are redirected to the AAG App Portal login page. After authentication, FortiADC returns them to the requested application.

This integration allows administrators to publish internal web applications securely through FortiADC without requiring VPN software, while maintaining consistent authentication, policy enforcement, and session logging across all application types.

Syntax

config user app-group
  edit <name>
    config bookmark
      edit <bookmark_name>
        set apptype web-app-internal
        set url <string>
        set domain <string>
        set host <string>
        set port <integer>
        set description <string>
      next
    end
  next
end

url	Specifies the bookmark URL — the homepage address of the internal web application, in the format http(s)://<fqdn>:<port>. The domain name must resolve to the Internal App virtual server configured with Web App Proxy enabled. This is the URL users access through the App Portal or directly in a browser.
domain	Lists additional subdomains or domains used by the web application, in addition to the homepage domain (for example, for content delivery or APIs). Enter each entry in the format ${sub-domain}@${top-level domain}. All specified domains must be included in the certificate’s Subject Alternative Name (SAN) to ensure proper SSL validation. Example: For an application accessed at https://portal.example.com that loads content from static.example.com and api.example.net, enter static@example.com and api@example.net.
host	(Optional) Specifies the backend server IP address or hostname (and optionally the port number) to which the Internal App virtual server routes traffic. If not set, FortiADC uses DNS resolution on the hostname portion of the URL to obtain the backend server IP address.
port	(Optional) Specifies the TCP port (1–65535) used by the backend server for the application. This value must match the port configured on the Internal App virtual server that proxies the application.
description	(Optional) Descriptive text for the bookmark. The label appears in the App Portal to help users identify the application (for example, Intranet Portal or SharePoint Site).