Referencing ZTNA profile in a server policy
In a server policy, configure the following items that are related with ZTNA:
- Optional. In the Network Configuration section, select HTTP Content Routing as the Deployment Mode, then select an HTTP content routing policy to route requests to a server pool based on the ZTNA tags. For how to create an HTTP content routing policy, see " To configure HTTP content routing" in Defining your web servers.
- In the Network Configuration section, select an HTTPS service, then click Advanced SSL settings. Select a Certificate Verify in Certificate Verification for HTTPS (see Certificate Verify), or turn on Enable Server Name Indication (SNI), then select an SNI that contains the ZTNA certificate (see SNI).
- In the Security Configuration section , select the ZTNA profile you have created. For more information, see Configuring a ZTNA Profile
Find the FortiClient EMS CA certificate that is synchronized to the CA tab in Server Objects > Certificates > CA.
- In Server Objects > Certificates > CA, select the CA Group tab. Add the certificate in a CA group. For more information, see "Grouping trusted CA certificates" in CA certificates.
- In Server Objects > Certificates > Certificate Verify, reference the CA group in an Certificate Verify for FortiWeb to validate client certificates. For more information, see "Configuring FortiWeb to validate client certificates" in How to apply PKI client authentication (personal certificates).
you can also add the certificate in an intermediate CA group, then reference it in an SNI. For more information, see "Supplementing a server certificate with its signing chain" and "Allowing FortiWeb to support multiple server certificates" in How to offload or inspect HTTPS.