ZTNA TCP forwarding access proxy example
In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.
By default, encryption is disabled on FortiClient ZTNA rules, as this reduces overhead for end to end protocols that are already secure. For insecure end to end protocols, enable encryption.
RDP access is configured to one server, and SSH access to the other.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure the access proxy VIP:
config firewall vip edit "ZTNA-tcp-server" set type access-proxy set extip 10.0.3.11 set extintf "port3" set server-type https set extport 8443 set ssl-certificate "Fortinet_SSL" next end
To configure the server addresses:
config firewall address edit "FAZ" set subnet 10.88.0.2 255.255.255.255 next edit "winserver" set subnet 10.88.0.1 255.255.255.255 next end
To configure access proxy server mappings:
config firewall access-proxy edit "ZTNA-tcp-server" set vip "ZTNA-tcp-server" set client-cert enable config api-gateway edit 1 set service tcp-forwarding config realservers edit 1 set address "FAZ" set mappedport 22 next edit 2 set address "winserver" set mappedport 3389 next end next end next end
The mapped port (mappedport
) restricts the mapping to the specified port or port range. If mappedport
is not specified, then any port will be matched.
To configure a ZTNA rule (proxy policy):
config firewall proxy-policy edit 0 set name "ZTNA_remote" set proxy access-proxy set access-proxy "ZTNA-tcp-server" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set utm-status enable set