ZTNA Destinations
You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See the FortiOS Administration Guide for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA destinations as follows.
You an configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint policy.
To configure a ZTNA destination:
- Go to Endpoint Profiles > ZTNA Destinations.
- Select a profile or create a new one.
- Click Advanced.
- In the Name field, enter the desired name.
- If desired, enable Allow Personal Destinations. This feature allows end users to configure personal ZTNA destinations. For FortiPAM ZTNA users, you must enable Allow Personal Destinations for FortiPAM to proxy RDP and SSH connections.
- If desired, enable Do Not Accept Invalid Server Certificate. This feature blocks end users from accessing ZTNA destinations if they have an invalid server certificate.
- If desired, enable Notify user on error. If enabled, FortiClient displays an error message to users when a TCP forwarding error occurs.
- Enable Destinations.
- Add a destination:
- Click Add.
Add a proxy gateway:
- In the Enter gateway proxy address field, enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.
- Under Select browser user-agent for SAML login, select Use external browser or Use FortiClient embedded browser. FortiClient presents a SAML authentication request to the end user in a web browser or FortiClient embedded browser for traffic that is eligible for this rule.
- In the Alias field, enter an alias for this destination.
- Click Next.
- Configure private applications. You can add a private application by searching for it, importing it from your device, or by manually adding it. Click Next.
- Configure SaaS applications by searching for the desired application in the SaaS Applications/Groups field. Selected applications appear as Will be Added under Changes to Apps/Groups.
- Click Finish.