Fortinet black logo

Administration Guide

ZTNA TCP forwarding access proxy example

ZTNA TCP forwarding access proxy example

In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.

TCP forwarding access proxy supports communication between the client and the access proxy without SSL/TLS encryption. The connection still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end to end communication between the client and server are encapsulated in the specified TCP port, but not encrypted by the access proxy. This improves performance by reducing the overhead of encrypting an already secured underlying protocol, such as RDP, SSH, or FTPS. Users should still enable the encryption option for end to end protocols that are insecure.

In this example, RDP (Remote Desktop Protocol) and SMB (Server Message Block) protocol access are configured to one server, and SSH access to the other server. Encryption is disabled for RDP and SSH, and enabled for SMB.

Note

FortiClient (Windows) must be running 7.0.3 or later to detect SMB.

Note

You cannot use ZTNA connection rules and TCP forwarding on a Windows 7 endpoint.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

To configure the ZTNA server for TCP access proxy in the GUI:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

  2. Click Create New.

  3. Set Name to ZTNA-tcp-server.

  4. Set Interface to port3. The IP address and Port fields are automatically set to the IP address of the selected interface and the default port 443.

    1. Set External IP to 10.0.3.11.
    2. Set External port to 8443.

    Note

    Verify that the IP address and port do not conflict with management access to the interface. Otherwise, change the IP address to another address on that subnet.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create New.

    2. Set Service to TCP Forwarding.

    3. In the Server section, click Address and create a new address for the FortiAnalyzer server at 10.88.0.2.

    4. Set Port to 22.

    5. Click OK.

  7. Click OK.

  8. Use the CLI to add another server for the winserver server at 10.88.0.1 with ports 445 and 3389 to correspond to SMB and RDP:

    config firewall access-proxy
        edit "ZTNA-tcp-server"
            config api-gateway
                edit 1
                    config realservers
                        edit 0
               set address "winserver"
               set mappedport 445 3389 
                        next
                    end
                next
            end
        next
    end
  9. In the GUI, edit the ZTNA server named ZTNA-tcp-server, and verify the server mapping for winserver.

To configure a simple ZTNA policy to allow traffic to the TCP access proxy in the GUI:
  1. Go to Policy & Objects > Firewall Policy, and click Create New.

  2. Set Name to ZTNA_remote.

  3. Set Type to ZTNA.

  4. Set Incoming Interface to port3.

  5. Set Source to all.

  6. Select the ZTNA server ZTNA-tcp-server.

  7. Configure the remaining options as needed.

  8. Click OK.

To configure the access proxy VIP in the CLI:
config firewall vip
    edit "ZTNA-tcp-server"
        set type access-proxy
        set extip 10.0.3.11
        set extintf "port3"
        set server-type https
        set extport 8443
        set ssl-certificate "Fortinet_SSL"
    next
end
To configure the server addresses in the CLI:
config firewall address
    edit "FAZ"
        set subnet 10.88.0.2 255.255.255.255
    next
    edit "winserver"
        set subnet 10.88.0.1 255.255.255.255
    next
end
To configure access proxy server mappings in the CLI:
config firewall access-proxy
    edit "ZTNA-tcp-server"
        set vip "ZTNA-tcp-server" 
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "FAZ"
                        set mappedport 22 
                    next
                    edit 2
                        set address "winserver"
                        set mappedport 445 3389 
                    next
                end
            next
        end
    next
end

The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.

To configure a ZTNA rule (proxy policy) in the CLI:
config firewall policy
    edit 11
        set name "ZTNA_remote"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-tcp-server"
        set schedule "always"
        set logtraffic all
        set nat enable
    next
end

For configuration examples using full ZTNA policy, see Configure a ZTNA policy.

Test the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA TCP forwarding rules via EMS for details.

To create a ZTNA Destination in FortiClient:
  1. On the ZTNA Destination tab, click Add Destination.

  2. Set Destination Name to SSH-FAZ.

  3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.

  4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.

  5. Leave Encryption disabled. This option determines whether or not the Client to FortiGate access proxy connection is encrypted in HTTPS.

  6. Click Create.

  7. Create a second rule with the following settings:

    • Rule Name: RDP-winserver

    • Destination Host: 10.88.0.1:3389

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Disabled

  8. Create a third rule with the following settings:

    • Rule Name: SMB-winserver

    • Destination Host: 10.88.0.1:445

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Enabled

After creating the ZTNA connection rules, you can SSH, RDP, and SMB directly to the server IP address and port.

Logs

# execute log filter category 0
# execute log filter field subtype ztna
# execute log display
SSH:
1: date=2023-05-04 time=11:56:35 eventtime=1683226594376318600 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=62958 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=31382 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=178 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=2821 rcvdbyte=2821 wanout=2705 lanin=4556 sentbyte=4556 lanout=5087 appcat="unscanned"
		
RDP:
1: date=2023-05-04 time=11:59:14 eventtime=1683226753600713941 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63053 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=3389 dstintf="port2" dstintfrole="dmz" sessionid=31513 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="RDP" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=13 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=1588 rcvdbyte=1588 wanout=1040 lanin=2893 sentbyte=2893 lanout=3854 appcat="unscanned"
SMB:
1: date=2023-05-04 time=12:15:07 eventtime=1683227707205696615 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63113 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=445 dstintf="port2" dstintfrole="dmz" sessionid=31635 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SMB" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=801 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=37670 rcvdbyte=37670 wanout=27153 lanin=33484 sentbyte=33484 lanout=44429 appcat="unscanned"

Related Videos

sidebar video

Using ZTNA to Access Protected TCP Applications

  • 3,168 views
  • 2 years ago
sidebar video

ZTNA Access for SSH and SMB Applications

  • 3,298 views
  • 1 years ago

ZTNA TCP forwarding access proxy example

In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.

TCP forwarding access proxy supports communication between the client and the access proxy without SSL/TLS encryption. The connection still begins with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS stack. Further end to end communication between the client and server are encapsulated in the specified TCP port, but not encrypted by the access proxy. This improves performance by reducing the overhead of encrypting an already secured underlying protocol, such as RDP, SSH, or FTPS. Users should still enable the encryption option for end to end protocols that are insecure.

In this example, RDP (Remote Desktop Protocol) and SMB (Server Message Block) protocol access are configured to one server, and SSH access to the other server. Encryption is disabled for RDP and SSH, and enabled for SMB.

Note

FortiClient (Windows) must be running 7.0.3 or later to detect SMB.

Note

You cannot use ZTNA connection rules and TCP forwarding on a Windows 7 endpoint.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

To configure the ZTNA server for TCP access proxy in the GUI:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

  2. Click Create New.

  3. Set Name to ZTNA-tcp-server.

  4. Set Interface to port3. The IP address and Port fields are automatically set to the IP address of the selected interface and the default port 443.

    1. Set External IP to 10.0.3.11.
    2. Set External port to 8443.

    Note

    Verify that the IP address and port do not conflict with management access to the interface. Otherwise, change the IP address to another address on that subnet.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create New.

    2. Set Service to TCP Forwarding.

    3. In the Server section, click Address and create a new address for the FortiAnalyzer server at 10.88.0.2.

    4. Set Port to 22.

    5. Click OK.

  7. Click OK.

  8. Use the CLI to add another server for the winserver server at 10.88.0.1 with ports 445 and 3389 to correspond to SMB and RDP:

    config firewall access-proxy
        edit "ZTNA-tcp-server"
            config api-gateway
                edit 1
                    config realservers
                        edit 0
               set address "winserver"
               set mappedport 445 3389 
                        next
                    end
                next
            end
        next
    end
  9. In the GUI, edit the ZTNA server named ZTNA-tcp-server, and verify the server mapping for winserver.

To configure a simple ZTNA policy to allow traffic to the TCP access proxy in the GUI:
  1. Go to Policy & Objects > Firewall Policy, and click Create New.

  2. Set Name to ZTNA_remote.

  3. Set Type to ZTNA.

  4. Set Incoming Interface to port3.

  5. Set Source to all.

  6. Select the ZTNA server ZTNA-tcp-server.

  7. Configure the remaining options as needed.

  8. Click OK.

To configure the access proxy VIP in the CLI:
config firewall vip
    edit "ZTNA-tcp-server"
        set type access-proxy
        set extip 10.0.3.11
        set extintf "port3"
        set server-type https
        set extport 8443
        set ssl-certificate "Fortinet_SSL"
    next
end
To configure the server addresses in the CLI:
config firewall address
    edit "FAZ"
        set subnet 10.88.0.2 255.255.255.255
    next
    edit "winserver"
        set subnet 10.88.0.1 255.255.255.255
    next
end
To configure access proxy server mappings in the CLI:
config firewall access-proxy
    edit "ZTNA-tcp-server"
        set vip "ZTNA-tcp-server" 
        config api-gateway
            edit 1
                set url-map "/tcp"
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "FAZ"
                        set mappedport 22 
                    next
                    edit 2
                        set address "winserver"
                        set mappedport 445 3389 
                    next
                end
            next
        end
    next
end

The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.

To configure a ZTNA rule (proxy policy) in the CLI:
config firewall policy
    edit 11
        set name "ZTNA_remote"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-tcp-server"
        set schedule "always"
        set logtraffic all
        set nat enable
    next
end

For configuration examples using full ZTNA policy, see Configure a ZTNA policy.

Test the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA TCP forwarding rules via EMS for details.

To create a ZTNA Destination in FortiClient:
  1. On the ZTNA Destination tab, click Add Destination.

  2. Set Destination Name to SSH-FAZ.

  3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.

  4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.

  5. Leave Encryption disabled. This option determines whether or not the Client to FortiGate access proxy connection is encrypted in HTTPS.

  6. Click Create.

  7. Create a second rule with the following settings:

    • Rule Name: RDP-winserver

    • Destination Host: 10.88.0.1:3389

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Disabled

  8. Create a third rule with the following settings:

    • Rule Name: SMB-winserver

    • Destination Host: 10.88.0.1:445

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Enabled

After creating the ZTNA connection rules, you can SSH, RDP, and SMB directly to the server IP address and port.

Logs

# execute log filter category 0
# execute log filter field subtype ztna
# execute log display
SSH:
1: date=2023-05-04 time=11:56:35 eventtime=1683226594376318600 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=62958 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=31382 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=178 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=2821 rcvdbyte=2821 wanout=2705 lanin=4556 sentbyte=4556 lanout=5087 appcat="unscanned"
		
RDP:
1: date=2023-05-04 time=11:59:14 eventtime=1683226753600713941 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63053 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=3389 dstintf="port2" dstintfrole="dmz" sessionid=31513 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="RDP" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=13 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=1588 rcvdbyte=1588 wanout=1040 lanin=2893 sentbyte=2893 lanout=3854 appcat="unscanned"
SMB:
1: date=2023-05-04 time=12:15:07 eventtime=1683227707205696615 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63113 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=445 dstintf="port2" dstintfrole="dmz" sessionid=31635 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SMB" proxyapptype="http" proto=6 action="accept" policyid=11 policytype="policy" poluuid="a63a424a-eaa9-51ed-cf84-b36eec5d2195" policyname="ZTNA_remote" duration=801 gatewayid=1 vip="ZTNA-tcp-server" accessproxy="ZTNA-tcp-server" clientdevicemanageable="manageable" wanin=37670 rcvdbyte=37670 wanout=27153 lanin=33484 sentbyte=33484 lanout=44429 appcat="unscanned"