Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.5
    7.4.4
    7.4.3
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    FQDN-based ZTNA TCP forwarding services

    FQDN-based ZTNA TCP forwarding services

    FortiClient supports using fully qualified domain names (FQDN) as destination hosts in zero trust network access (ZTNA) TCP forwarding destinations. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

    The following shows the topology for this example. This example uses two FQDNs, rdp.win.test and ssh.win.test, in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

    To configure FortiOS:
    1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
    2. Click Create New.
    3. For Type, select IPv4.
    4. For Service, select TCP Forwarding.
    5. Under Servers, configure RDP and SSH services.

    6. Click OK.
    7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain: 
      config firewall access-proxy
    edit "ZTNA-test"
        set vip "ZTNA-test"
        set client-cert enable
        config api-gateway
            edit 2
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "internal_server"
                        set domain "rdp.win.test"
                        set mappedport 3389 
                    next
                    edit 2
                        set address "ssh_test"
                        set domain "ssh.win.test"
                        set mappedport 22 
                    next
                end
            next
        end
    next
end
    8. Ensure that you have configured the ZTNA policy rule and firewall policy as desired.
    To configure ZTNA destinations:

    You can configure ZTNA destinations from EMS or FortiClient. Using EMS is the recommended method. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.

    1. Go to Fabric & Connectors > ZTNA Applications Catalog.
    2. Create the RDP ZTNA application:
      1. Click Add.
      2. Select FQDN, then enter rdp.win.test. This field does not support entering a hostname.
      3. Select Port, then enter the desired port number.
      4. Click Add Gateway.
      5. In the Address and Port fields, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
      6. Click Create.
      7. Configure other fields as desired, then click Finish.
    3. Create the SSH server rule:
      1. Click Add.
      2. Select FQDN, then enter ssh.win.test. This field does not support entering a hostname.
      3. Select Port, then enter the desired port number.
      4. Click Add Gateway.
      5. In the Address and Port fields, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
      6. Click Create.
      7. Configure other fields as desired, then click Finish.
    4. Go to Endpoint Profiles > ZTNA Destinations.
    5. Create a new profile or edit an existing one.
    6. Under Rules, click Add.
    7. Select the applications that you configured. Click Finish.
    8. Configure the profile as desired, and click Save.
    Previous
    Next

    FQDN-based ZTNA TCP forwarding services

    FQDN-based ZTNA TCP forwarding services

    FortiClient supports using fully qualified domain names (FQDN) as destination hosts in zero trust network access (ZTNA) TCP forwarding destinations. This allows you to avoid exposing private/internal IP addresses to end users by using FQDNs instead.

    The following shows the topology for this example. This example uses two FQDNs, rdp.win.test and ssh.win.test, in place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.

    To configure FortiOS:
    1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.
    2. Click Create New.
    3. For Type, select IPv4.
    4. For Service, select TCP Forwarding.
    5. Under Servers, configure RDP and SSH services.

    6. Click OK.
    7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain: 
      config firewall access-proxy
    edit "ZTNA-test"
        set vip "ZTNA-test"
        set client-cert enable
        config api-gateway
            edit 2
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "internal_server"
                        set domain "rdp.win.test"
                        set mappedport 3389 
                    next
                    edit 2
                        set address "ssh_test"
                        set domain "ssh.win.test"
                        set mappedport 22 
                    next
                end
            next
        end
    next
end
    8. Ensure that you have configured the ZTNA policy rule and firewall policy as desired.
    To configure ZTNA destinations:

    You can configure ZTNA destinations from EMS or FortiClient. Using EMS is the recommended method. If using FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.

    1. Go to Fabric & Connectors > ZTNA Applications Catalog.
    2. Create the RDP ZTNA application:
      1. Click Add.
      2. Select FQDN, then enter rdp.win.test. This field does not support entering a hostname.
      3. Select Port, then enter the desired port number.
      4. Click Add Gateway.
      5. In the Address and Port fields, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
      6. Click Create.
      7. Configure other fields as desired, then click Finish.
    3. Create the SSH server rule:
      1. Click Add.
      2. Select FQDN, then enter ssh.win.test. This field does not support entering a hostname.
      3. Select Port, then enter the desired port number.
      4. Click Add Gateway.
      5. In the Address and Port fields, enter the FortiGate IP address and port number. In this example, it is 172.17.81.250:8443.
      6. Click Create.
      7. Configure other fields as desired, then click Finish.
    4. Go to Endpoint Profiles > ZTNA Destinations.
    5. Create a new profile or edit an existing one.
    6. Under Rules, click Add.
    7. Select the applications that you configured. Click Finish.
    8. Configure the profile as desired, and click Save.
    Previous
    Next