ZTNA access proxy with SSL VPN web portal example
SSL VPN web portals can be defined in ZTNA access proxy settings. The ZTNA access proxy handles the access control processes (client certificate authentication, posture check, user authentication and authorization), and establishes the HTTPS connection between the end user and the access proxy. Then, it forwards the user to the web portal where they can use predefined bookmarks to access TCP based services like HTTPS, RDP, VNC, FTP, SFTP, SSH, Telnet, and SMB. Existing SSL VPN portal configurations can be used.
|
The web portal service can only be configured in the CLI. |
Example
In this example, a remote client connects to the ZTNA access proxy and completes the client certificate check. If successful, the remaining access control procedures are automatically completed, and the user is forwarded to the web portal. The web portal is configured with predefined bookmarks that connect to internal servers and external websites. The user can access any resource that is defined in the bookmarks to create an end-to-end connection.
To configure the SSL VPN web portal:
- Go to VPN > SSL-VPN Portals and click Create New.
- Enter the name, test_ssl.
- Disable Tunnel Mode.
- Enable Web Mode.
- Create the bookmarks:
- Under Predefined Bookmarks, click Create New.
- Enter the name of the service.
- Select the service Type.
- Enter the URL to access the service.
- Click OK.
- Repeat these steps to create other bookmarks.
- Click OK.
To configure the ZTNA access proxy:
- Configure a VIP for the ZTNA access proxy. The
ssl-certificatecan be replaced with a server certificate:config firewall vip edit "ztna_webportal" set type access-proxy set extip 172.18.62.68 set extintf "any" set server-type https set extport 4443 set ssl-certificate "*.test.com" next end - Configure the virtual host to be used to connect to the ZTNA access proxy. The host should resolve to the VIP’s address:
config firewall access-proxy-virtual-host edit "webportal" set ssl-certificate "*.test.com" set host "web.test.com" next end - Configure the ZTNA access proxy to be in web portal mode:
config firewall access-proxy edit "ztna_webportal" set vip "ztna_webportal" set client-cert enable config api-gateway edit 1 set url-map "/webportal" set service web-portal set virtual-host "webportal" set ssl-vpn-web-portal "test_ssl" next end next end - Apply the access proxy to a proxy policy (specify the ZTNA tags as needed):
config firewall proxy-policy edit 1 set name "ztna_rule" set proxy access-proxy set access-proxy "ztna_webportal" set srcintf "any" set srcaddr "all" set dstaddr "all" set ztna-ems-tag "FCTEMS8821000000_High" set action accept set schedule "always" set logtraffic all set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set profile-type group set profile-group "profile group1" set logtraffic-start enable next endThe SSL VPN bookmarks are learned by the WAD daemon and are ready to use.
- Verify the bookmarks:
# diagnose test app wad 351 [bookmark: (portal/group/name=test_ssl/gui-bookmarks/2nd HTTP)]: type :1 url :http://httpbin.org host : folder: domain: port :0 [bookmark: (portal/group/name=test_ssl/gui-bookmarks/FTP)]: type :4 url : host : folder:172.16.200.215 domain: port :0 [bookmark: (portal/group/name=test_ssl/gui-bookmarks/HTTPS-fortinet)]: type :1 url :https://www.fortinet.com host : folder: domain: port :0 [bookmark: (portal/group/name=test_ssl/gui-bookmarks/RDP)]: type :9 url : host :172.18.62.213 folder: domain: port :3389 …
To test the connection:
- From the client browser, go to https://web.test.com:4443/webportal to access the ZTNA access proxy web portal.
- Once the client passes the certificate check, posture check, and access is granted, the user is redirected to the web portal. The list of predefined bookmarks appears.
- Click a bookmark, such as HTTPS-fortinet. The website opens.
- From the web portal, click another bookmark, such as SSH. The page opens with the credential login screen to access the server.
