ZTNA TCP forwarding access proxy example
In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.
By default, encryption is disabled on FortiClient ZTNA rules, as this reduces overhead for end to end protocols that are already secure. For insecure end to end protocols, enable encryption.
RDP access is configured to one server, and SSH access to the other.
This example assumes that the FortiGate EMS fabric connector is already successfully connected.
To configure the access proxy VIP:
config firewall vip
edit "ZTNA-tcp-server"
set type access-proxy
set extip 10.0.3.11
set extintf "port3"
set server-type https
set extport 8443
set ssl-certificate "Fortinet_SSL"
next
end
To configure the server addresses:
config firewall address
edit "FAZ"
set subnet 10.88.0.2 255.255.255.255
next
edit "winserver"
set subnet 10.88.0.1 255.255.255.255
next
end
To configure access proxy server mappings:
config firewall access-proxy
edit "ZTNA-tcp-server"
set vip "ZTNA-tcp-server"
set client-cert enable
config api-gateway
edit 1
set service tcp-forwarding
config realservers
edit 1
set address "FAZ"
set mappedport 22
next
edit 2
set address "winserver"
set mappedport 3389
next
end
next
end
next
end
The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.
To configure a ZTNA rule (proxy policy):
config firewall proxy-policy
edit 0
set name "ZTNA_remote"
set proxy access-proxy
set access-proxy "ZTNA-tcp-server"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set utm-status enable
set