ZTNA Destinations

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See the FortiOS Administration Guide for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA destinations as follows.

You an configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint policy.

See ZTNA Applications Catalog to view the ZTNA applications available for selection.

To configure a ZTNA destination profile:

1. Go to Endpoint Profiles > ZTNA Destinations. Select the desired profile or create a new one.
2. In the Name field, enter the desired name.
3. If desired, enable the following options:

   Option	Description
   Allow Personal Destinations	Allows end users to configure personal ZTNA destinations.
   Enforce Valid Server Certificate	Blocks end users from accessing ZTNA destinations if they have an invalid server certificate.
   Notify user on error	FortiClient displays an error message to users when a TCP forwarding error occurs.

4. Under Rules, click Add.
5. In the dialog, select the required applications. Click Finish.

   

6. For each destination, if desired, you can enable Redirect to use the default external browser for ZTNA SAML authentication. If disabled, FortiClient uses the FortiClient embedded browser for ZTNA SAML authentication.
7. Save the profile.
8. On an endpoint that received the profile changes, go to ZTNA Destination. You can see the ZTNA applications from the list that EMS received from FortiOS.