Fortinet black logo

Administration Guide

Home FortiClient 7.2.4 Administration Guide
7.2.4
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0

ZTNA Destination

ZTNA Destination

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See Zero Trust Network Access (ZTNA) for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA connection rules in FortiClient as follows.

For Linux devices, ZTNA certificate provisioning requires Trusted Platform Module 2.0.

It is recommended for FortiClient to receive ZTNA destinations from EMS as configured by the EMS administrator. See the FortiClient EMS Administration Guide.

You cannot use ZTNA destinations and TCP forwarding on a Windows 7 endpoint.

To add a ZTNA destination:
  1. On the ZTNA Destination tab, click Add Destination.
  2. In the Destination Name field, enter the desired name.
  3. In the Destination Host field, enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering a hostname. For example, you could enter demo.fortinet.com:22 as the destination host value.
  4. In the Proxy Gateway field, enter the FortiGate access IP address and port in the same format. For example, you could enter 21.14.22.11:80 as the proxy gateway value.
  5. From the Mode dropdown list, select Transparent.
  6. Enable or disable Encryption. By default, Encryption is disabled. When Encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When Encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.
  7. If desired, enable Use external browser as user-agent for saml user authentication. FortiClient can use a browser as an external user-agent to perform SAML authentication.
  8. Click Create.

Previous
Next

ZTNA Destination

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See Zero Trust Network Access (ZTNA) for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA connection rules in FortiClient as follows.

For Linux devices, ZTNA certificate provisioning requires Trusted Platform Module 2.0.

It is recommended for FortiClient to receive ZTNA destinations from EMS as configured by the EMS administrator. See the FortiClient EMS Administration Guide.

You cannot use ZTNA destinations and TCP forwarding on a Windows 7 endpoint.

To add a ZTNA destination:
  1. On the ZTNA Destination tab, click Add Destination.
  2. In the Destination Name field, enter the desired name.
  3. In the Destination Host field, enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering a hostname. For example, you could enter demo.fortinet.com:22 as the destination host value.
  4. In the Proxy Gateway field, enter the FortiGate access IP address and port in the same format. For example, you could enter 21.14.22.11:80 as the proxy gateway value.
  5. From the Mode dropdown list, select Transparent.
  6. Enable or disable Encryption. By default, Encryption is disabled. When Encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When Encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.
  7. If desired, enable Use external browser as user-agent for saml user authentication. FortiClient can use a browser as an external user-agent to perform SAML authentication.
  8. Click Create.

Previous
Next