Fortinet black logo

Administration Guide

ZTNA access proxy with SSL VPN web portal example

ZTNA access proxy with SSL VPN web portal example

SSL VPN web portals can be defined in ZTNA access proxy settings. The ZTNA access proxy handles the access control processes (client certificate authentication, posture check, user authentication and authorization), and establishes the HTTPS connection between the end user and the access proxy. Then, it forwards the user to the web portal where they can use predefined bookmarks to access TCP based services like HTTPS, RDP, VNC, FTP, SFTP, SSH, Telnet, and SMB. Existing SSL VPN portal configurations can be used.

Note

The web portal service can only be configured in the CLI.

Example

In this example, a remote client connects to the ZTNA access proxy and completes the client certificate check. If successful, the remaining access control procedures are automatically completed, and the user is forwarded to the web portal. The web portal is configured with predefined bookmarks that connect to internal servers and external websites. The user can access any resource that is defined in the bookmarks to create an end-to-end connection.

To configure the SSL VPN web portal:
  1. Go to VPN > SSL-VPN Portals and click Create New.
  2. Enter the name, test_ssl.
  3. Disable Tunnel Mode.
  4. Enable Web Mode.
  5. Create the bookmarks:
    1. Under Predefined Bookmarks, click Create New.
    2. Enter the name of the service.
    3. Select the service Type.
    4. Enter the URL to access the service.
    5. Click OK.
    6. Repeat these steps to create other bookmarks.
  6. Click OK.
To configure the ZTNA access proxy:
  1. Configure a VIP for the ZTNA access proxy. The ssl-certificate can be replaced with a server certificate:
    config firewall vip
        edit "ztna_webportal"
            set type access-proxy
            set extip 172.18.62.68
            set extintf "any"
            set server-type https
            set extport 4443
            set ssl-certificate "*.test.com"
        next
    end
  2. Configure the virtual host to be used to connect to the ZTNA access proxy. The host should resolve to the VIP’s address:
    config firewall access-proxy-virtual-host
        edit "webportal"
            set ssl-certificate "*.test.com"
            set host "web.test.com"
        next
    end
  3. Configure the ZTNA access proxy to be in web portal mode:
    config firewall access-proxy
        edit "ztna_webportal"
            set vip "ztna_webportal"
            set client-cert enable
            config api-gateway
                edit 1
                    set url-map "/webportal"
                    set service web-portal
                    set virtual-host "webportal"
                    set ssl-vpn-web-portal "test_ssl"
                next
            end
        next
    end
  4. Apply the access proxy to a proxy policy (specify the ZTNA tags as needed):
    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy "ztna_webportal"
            set srcintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS8821000000_High"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-type group
            set profile-group "profile group1"
            set logtraffic-start enable
        next
    end

    The SSL VPN bookmarks are learned by the WAD daemon and are ready to use.

  5. Verify the bookmarks:
    # diagnose test app wad 351
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/2nd HTTP)]:
        type  :1
        url   :http://httpbin.org
        host  :
        folder:
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/FTP)]:
        type  :4
        url   :
        host  :
        folder:172.16.200.215
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/HTTPS-fortinet)]:
        type  :1
        url   :https://www.fortinet.com
        host  :
        folder:
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/RDP)]:
        type  :9
        url   :
        host  :172.18.62.213
        folder:
        domain:
        port  :3389
    …
To test the connection:
  1. From the client browser, go to https://web.test.com:4443/webportal to access the ZTNA access proxy web portal.

  2. Once the client passes the certificate check, posture check, and access is granted, the user is redirected to the web portal. The list of predefined bookmarks appears.

  3. Click a bookmark, such as HTTPS-fortinet. The website opens.

  4. From the web portal, click another bookmark, such as SSH. The page opens with the credential login screen to access the server.

ZTNA access proxy with SSL VPN web portal example

SSL VPN web portals can be defined in ZTNA access proxy settings. The ZTNA access proxy handles the access control processes (client certificate authentication, posture check, user authentication and authorization), and establishes the HTTPS connection between the end user and the access proxy. Then, it forwards the user to the web portal where they can use predefined bookmarks to access TCP based services like HTTPS, RDP, VNC, FTP, SFTP, SSH, Telnet, and SMB. Existing SSL VPN portal configurations can be used.

Note

The web portal service can only be configured in the CLI.

Example

In this example, a remote client connects to the ZTNA access proxy and completes the client certificate check. If successful, the remaining access control procedures are automatically completed, and the user is forwarded to the web portal. The web portal is configured with predefined bookmarks that connect to internal servers and external websites. The user can access any resource that is defined in the bookmarks to create an end-to-end connection.

To configure the SSL VPN web portal:
  1. Go to VPN > SSL-VPN Portals and click Create New.
  2. Enter the name, test_ssl.
  3. Disable Tunnel Mode.
  4. Enable Web Mode.
  5. Create the bookmarks:
    1. Under Predefined Bookmarks, click Create New.
    2. Enter the name of the service.
    3. Select the service Type.
    4. Enter the URL to access the service.
    5. Click OK.
    6. Repeat these steps to create other bookmarks.
  6. Click OK.
To configure the ZTNA access proxy:
  1. Configure a VIP for the ZTNA access proxy. The ssl-certificate can be replaced with a server certificate:
    config firewall vip
        edit "ztna_webportal"
            set type access-proxy
            set extip 172.18.62.68
            set extintf "any"
            set server-type https
            set extport 4443
            set ssl-certificate "*.test.com"
        next
    end
  2. Configure the virtual host to be used to connect to the ZTNA access proxy. The host should resolve to the VIP’s address:
    config firewall access-proxy-virtual-host
        edit "webportal"
            set ssl-certificate "*.test.com"
            set host "web.test.com"
        next
    end
  3. Configure the ZTNA access proxy to be in web portal mode:
    config firewall access-proxy
        edit "ztna_webportal"
            set vip "ztna_webportal"
            set client-cert enable
            config api-gateway
                edit 1
                    set url-map "/webportal"
                    set service web-portal
                    set virtual-host "webportal"
                    set ssl-vpn-web-portal "test_ssl"
                next
            end
        next
    end
  4. Apply the access proxy to a proxy policy (specify the ZTNA tags as needed):
    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy "ztna_webportal"
            set srcintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS8821000000_High"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-type group
            set profile-group "profile group1"
            set logtraffic-start enable
        next
    end

    The SSL VPN bookmarks are learned by the WAD daemon and are ready to use.

  5. Verify the bookmarks:
    # diagnose test app wad 351
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/2nd HTTP)]:
        type  :1
        url   :http://httpbin.org
        host  :
        folder:
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/FTP)]:
        type  :4
        url   :
        host  :
        folder:172.16.200.215
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/HTTPS-fortinet)]:
        type  :1
        url   :https://www.fortinet.com
        host  :
        folder:
        domain:
        port  :0
    [bookmark: (portal/group/name=test_ssl/gui-bookmarks/RDP)]:
        type  :9
        url   :
        host  :172.18.62.213
        folder:
        domain:
        port  :3389
    …
To test the connection:
  1. From the client browser, go to https://web.test.com:4443/webportal to access the ZTNA access proxy web portal.

  2. Once the client passes the certificate check, posture check, and access is granted, the user is redirected to the web portal. The list of predefined bookmarks appears.

  3. Click a bookmark, such as HTTPS-fortinet. The website opens.

  4. From the web portal, click another bookmark, such as SSH. The page opens with the credential login screen to access the server.