Fortinet black logo

FQDN-based ZTNA TCP forwarding services 7.0.3

Copy Link
Copy Doc ID c7e1b029-a797-11eb-b70b-00505692583a:814327
Download PDF

FQDN-based ZTNA TCP forwarding services 7.0.3

FortiClient 7.0.3 adds support for using fully qualified domain names (FQDN) as destination hosts in zero trust network access (ZTNA) TCP forwarding rules. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

The following shows the topology for this example. This example uses two FQDNs, rdp.win.test and ssh.win.test, in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

To configure FortiOS:
  1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
  2. Click Create New.
  3. For Type, select IPv4.
  4. For Service, select TCP Forwarding.
  5. Under Servers, configure RDP and SSH services.

  6. Click OK.
  7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain:
    config firewall access-proxy
        edit "ZTNA-test"
            set vip "ZTNA-test"
            set client-cert enable
            config api-gateway
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "internal_server"
                            set domain "rdp.win.test"
                            set mappedport 3389 
                        next
                        edit 2
                            set address "ssh_test"
                            set domain "ssh.win.test"
                            set mappedport 22 
                        next
                    end
                next
            end
        next
    end
  8. Ensure that you configured the ZTNA policy rule and firewall policy as desired.
To configure ZTNA rules:
  1. You can configure ZTNA rules from FortiClient or EMS. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.
  2. Do one of the following:
    1. If using FortiClient, go to ZTNA Connection Rules.
    2. If using EMS, go to Endpoint Profiles > ZTNA Connection Rules.
  3. Create the RDP server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter rdp.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

  4. Create the SSH server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter ssh.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

To verify the configuration:
  1. Go to C:/Windows/System32/drivers/etc.
  2. Open the hosts file with a text editor.
  3. Confirm that FortiClient automatically edited the hosts file. If FortiClient sees traffic to these IP addresses, it forwards the traffic to the ZTNA access proxy with the destination set as the corresponding FQDN. You can verify this by pinging these two domain names in Command Prompt.

  4. Start an SSH session in Command Prompt using ssh admin@ssh.win.test.
  5. FortiClient displays an authentication prompt. Enter the credentials in the popup.
  6. You can see that the session started. Command Prompt requests the password.
  7. Start a remote session with Remote Desktop Connection.
  8. Enter your credentials in the popup. A remote access session starts.

FQDN-based ZTNA TCP forwarding services 7.0.3

FortiClient 7.0.3 adds support for using fully qualified domain names (FQDN) as destination hosts in zero trust network access (ZTNA) TCP forwarding rules. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

The following shows the topology for this example. This example uses two FQDNs, rdp.win.test and ssh.win.test, in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

To configure FortiOS:
  1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
  2. Click Create New.
  3. For Type, select IPv4.
  4. For Service, select TCP Forwarding.
  5. Under Servers, configure RDP and SSH services.

  6. Click OK.
  7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain:
    config firewall access-proxy
        edit "ZTNA-test"
            set vip "ZTNA-test"
            set client-cert enable
            config api-gateway
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "internal_server"
                            set domain "rdp.win.test"
                            set mappedport 3389 
                        next
                        edit 2
                            set address "ssh_test"
                            set domain "ssh.win.test"
                            set mappedport 22 
                        next
                    end
                next
            end
        next
    end
  8. Ensure that you configured the ZTNA policy rule and firewall policy as desired.
To configure ZTNA rules:
  1. You can configure ZTNA rules from FortiClient or EMS. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.
  2. Do one of the following:
    1. If using FortiClient, go to ZTNA Connection Rules.
    2. If using EMS, go to Endpoint Profiles > ZTNA Connection Rules.
  3. Create the RDP server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter rdp.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

  4. Create the SSH server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter ssh.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

To verify the configuration:
  1. Go to C:/Windows/System32/drivers/etc.
  2. Open the hosts file with a text editor.
  3. Confirm that FortiClient automatically edited the hosts file. If FortiClient sees traffic to these IP addresses, it forwards the traffic to the ZTNA access proxy with the destination set as the corresponding FQDN. You can verify this by pinging these two domain names in Command Prompt.

  4. Start an SSH session in Command Prompt using ssh admin@ssh.win.test.
  5. FortiClient displays an authentication prompt. Enter the credentials in the popup.
  6. You can see that the session started. Command Prompt requests the password.
  7. Start a remote session with Remote Desktop Connection.
  8. Enter your credentials in the popup. A remote access session starts.