ZTNA access proxy
ZTNA access proxy allows users to securely access resources through an SSL encrypted access proxy. This simplifies remote access by eliminating the use of dial-up VPNs. ZTNA rules and tagging offer additional identity and posture checking.
With ZTNA access proxy, FortiGate access proxy can proxy HTTP and TCP traffic over secure HTTPS connections with the client. This enables seamless access from the client to the protected servers, without needing to form IPsec or SSL VPN tunnels.
The following methods can be used for ZTNA access proxy:
HTTPS access proxy
FortiGate HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to a web page hosted by the protected server, the address resolves to the FortiGate’s access proxy VIP. The FortiGate proxies the connection, and takes steps to authenticate the user. It prompts the user for their certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from FortiClient EMS. If an authentication scheme, such as SAML authentication, is configured, the client is redirected to a captive portal for sign-on. If this passes, traffic is allowed based on the ZTNA rules, and the FortiGate returns the web page to the client.
TCP forwarding access proxy (TFAP)
TCP forwarding access proxy works as a special type of HTTPS reverse proxy. Instead of proxying traffic to a web server, TCP traffic is tunneled between the client and the access proxy over HTTPS and forwarded to the protected resource. The FortiClient endpoint configures the ZTNA connection by pointing to the proxy gateway, and then specifying the destination host that it wants to reach. An HTTPS connection is made to the FortiGate’s access proxy VIP, where the client certificate is verified, and access is granted based on the ZTNA rules. TCP traffic is forwarded from the FortiGate to the protected resource, and an end-to-end connection is established.