Fortinet black logo

Secure private access using ZTNA

Copy Link
Copy Doc ID 90c0ddd8-c520-11ee-8c42-fa163e15d75b:472920
Download PDF

Secure private access using ZTNA

FortiSASE agent-based remote users can securely access private resources, namely, TCP-based applications using ZTNA. This use case offers a direct (shortest) path to private resources and per-session user authentication thus offering greater performance and security. ZTNA has the following requirements:

  • A FortiGate must be located at an organization’s headquarters data center (on-premises, private cloud, or public cloud) and configured as a ZTNA access proxy that controls access to resources behind the FortiGate.
  • Remote users must be agent-based with FortiClient installed.

ZTNA requires the FortiClient to be managed by the FortiSASE Endpoint Management Service to discover the endpoint’s device information, log on user information, and security posture, and to request and obtain a client certificate from the FortiSASE Endpoint Management Service. FortiSASE Endpoint Management Service applies ZTNA tagging rules to tag the clients. FortiSASE then shares the tags and client certificate details with the FortiGate. The FortiGate ZTNA access proxy uses the client certificate to verify the client’s identity and grants or denies access based on the client’s ZTNA tags.

You can achieve authentication for users in this use case by configuring the authentication source as Active Directory/LDAP or RADIUS or as a SAML identity provider.

A typical topology for deploying this example design is as follows:

Secure private access using ZTNA

FortiSASE agent-based remote users can securely access private resources, namely, TCP-based applications using ZTNA. This use case offers a direct (shortest) path to private resources and per-session user authentication thus offering greater performance and security. ZTNA has the following requirements:

  • A FortiGate must be located at an organization’s headquarters data center (on-premises, private cloud, or public cloud) and configured as a ZTNA access proxy that controls access to resources behind the FortiGate.
  • Remote users must be agent-based with FortiClient installed.

ZTNA requires the FortiClient to be managed by the FortiSASE Endpoint Management Service to discover the endpoint’s device information, log on user information, and security posture, and to request and obtain a client certificate from the FortiSASE Endpoint Management Service. FortiSASE Endpoint Management Service applies ZTNA tagging rules to tag the clients. FortiSASE then shares the tags and client certificate details with the FortiGate. The FortiGate ZTNA access proxy uses the client certificate to verify the client’s identity and grants or denies access based on the client’s ZTNA tags.

You can achieve authentication for users in this use case by configuring the authentication source as Active Directory/LDAP or RADIUS or as a SAML identity provider.

A typical topology for deploying this example design is as follows: