Fortinet black logo

Administration Guide

FQDN-based ZTNA TCP forwarding services

FQDN-based ZTNA TCP forwarding services

FortiClient supports using fully qualified domain names (FQDN) as destination hosts in Zero Trust Network Access TCP forwarding rules. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

The following shows the topology for this example. In this example, two FQDNs, rdp.win.test and ssh.win.test, are used in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

To configure FortiOS:
  1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
  2. Click Create New.
  3. For Type, select IPv4.
  4. For Service, select TCP Forwarding.
  5. Under Servers, configure RDP and SSH services.

  6. Click OK.
  7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain:

    config firewall access-proxy edit "ZTNA-test" set vip "ZTNA-test" set client-cert enable config api-gateway edit 2 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "internal_server" set domain "rdp.win.test" set mappedport 3389 next edit 2 set address "ssh_test" set domain "ssh.win.test" set mappedport 22 next end next end next end

  8. Ensure that you have configured the ZTNA policy rule and firewall policy as desired.
To configure ZTNA rules:
  1. You can configure ZTNA rules from FortiClient or EMS. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.
  2. Do one of the following:
    1. If using FortiClient, go to ZTNA Connection Rules.
    2. If using EMS, go to Endpoint Profiles > ZTNA Connection Rules.
  3. Create the RDP server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter rdp.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

  4. Create the SSH server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter ssh.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

To verify the configuration:
  1. Go to C:/Windows/System32/drivers/etc.
  2. Open the hosts file with a text editor.
  3. Confirm that FortiClient has automatically edited the hosts file. If FortiClient sees traffic to these IP addresses, it forwards the traffic to the ZTNA access proxy with the destination set as the corresponding FQDN. You can verify this by pinging these two domain names in Command Prompt.

  4. Start an SSH session in Command Prompt using ssh admin@ssh.win.test.
  5. FortiClient displays an authentication prompt. Enter the credentials in the popup.
  6. You can see that the session has been started. Command Prompt requests the password.
  7. Start a remote session with Remote Desktop Connection.
  8. Enter your credentials in the popup. A remote access session starts.

FQDN-based ZTNA TCP forwarding services

FortiClient supports using fully qualified domain names (FQDN) as destination hosts in Zero Trust Network Access TCP forwarding rules. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

The following shows the topology for this example. In this example, two FQDNs, rdp.win.test and ssh.win.test, are used in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

To configure FortiOS:
  1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
  2. Click Create New.
  3. For Type, select IPv4.
  4. For Service, select TCP Forwarding.
  5. Under Servers, configure RDP and SSH services.

  6. Click OK.
  7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain:

    config firewall access-proxy edit "ZTNA-test" set vip "ZTNA-test" set client-cert enable config api-gateway edit 2 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "internal_server" set domain "rdp.win.test" set mappedport 3389 next edit 2 set address "ssh_test" set domain "ssh.win.test" set mappedport 22 next end next end next end

  8. Ensure that you have configured the ZTNA policy rule and firewall policy as desired.
To configure ZTNA rules:
  1. You can configure ZTNA rules from FortiClient or EMS. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.
  2. Do one of the following:
    1. If using FortiClient, go to ZTNA Connection Rules.
    2. If using EMS, go to Endpoint Profiles > ZTNA Connection Rules.
  3. Create the RDP server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter rdp.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

  4. Create the SSH server rule:
    1. Click Add Rule.
    2. In the Rule Name field, enter the desired name.
    3. In the Destination Host field, enter ssh.win.test:<port number>.
    4. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
    5. Click Create.

To verify the configuration:
  1. Go to C:/Windows/System32/drivers/etc.
  2. Open the hosts file with a text editor.
  3. Confirm that FortiClient has automatically edited the hosts file. If FortiClient sees traffic to these IP addresses, it forwards the traffic to the ZTNA access proxy with the destination set as the corresponding FQDN. You can verify this by pinging these two domain names in Command Prompt.

  4. Start an SSH session in Command Prompt using ssh admin@ssh.win.test.
  5. FortiClient displays an authentication prompt. Enter the credentials in the popup.
  6. You can see that the session has been started. Command Prompt requests the password.
  7. Start a remote session with Remote Desktop Connection.
  8. Enter your credentials in the popup. A remote access session starts.