Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Migrate Web access to infrastructure devices for Administrators

Migrate Web access to infrastructure devices for Administrators

Migration is typically arranged so that the least number of users are impacted at first, before incrementally increase in scope. Therefore, it often begins with the servers and devices accessible only to the Administrator group themselves.

In our example, web access to the EMS server, FortiAnalyzer and FortiAuthenticator for the Administrators group will be migrated first. These servers are only accessible by Administrators. In the Teleworking setup, this corresponds to the following policy configurations:

config firewall policy
    edit 9
        set name "SSL_VPN-Administrators"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "EMS" "FAZ" "Webserver" "FAC"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set groups "LDAP-Administrators"
        set comments " “
    next
next

In the above Teleworking configs, the Webserver address group is also allowed. However, this will be migrated last.

When we migrate to ZTNA, we will require the following:

  • One new IP for port3 to act as the access proxy gateway. In our example environment, it is 10.0.3.10. In a production environment, this will likely be a public IP.

  • For each web service, a FQDN and DNS entry to map the FQDN to the new IP above:

    • FortiAnalyzer – zfaz.ztnademo.com

    • FortiClient EMS – zems.ztnademo.com

    • FortiAuthenticator – zfac.ztnademo.com

  • For HTTPS access to these services, a wildcard certificate for *.ztnademo.com

Previous
Next

Migrate Web access to infrastructure devices for Administrators

Migration is typically arranged so that the least number of users are impacted at first, before incrementally increase in scope. Therefore, it often begins with the servers and devices accessible only to the Administrator group themselves.

In our example, web access to the EMS server, FortiAnalyzer and FortiAuthenticator for the Administrators group will be migrated first. These servers are only accessible by Administrators. In the Teleworking setup, this corresponds to the following policy configurations:

config firewall policy
    edit 9
        set name "SSL_VPN-Administrators"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "EMS" "FAZ" "Webserver" "FAC"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set groups "LDAP-Administrators"
        set comments " “
    next
next

In the above Teleworking configs, the Webserver address group is also allowed. However, this will be migrated last.

When we migrate to ZTNA, we will require the following:

  • One new IP for port3 to act as the access proxy gateway. In our example environment, it is 10.0.3.10. In a production environment, this will likely be a public IP.

  • For each web service, a FQDN and DNS entry to map the FQDN to the new IP above:

    • FortiAnalyzer – zfaz.ztnademo.com

    • FortiClient EMS – zems.ztnademo.com

    • FortiAuthenticator – zfac.ztnademo.com

  • For HTTPS access to these services, a wildcard certificate for *.ztnademo.com

Previous
Next