Fortinet black logo

EMS Administration Guide

ZTNA Destinations

ZTNA Destinations

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See Zero Trust Network Access for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA destinations as follows.

You can configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint policy.

To add a ZTNA destination:
  1. Go to Endpoint Profiles > ZTNA Destinations.
  2. Click Add.
  3. Click Advanced.
  4. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

  5. In the Name field, enter the desired name.
  6. If desired, enable Allow Personal Destinations. This feature allows end users to configure personal ZTNA destinations.
  7. Add a destination:

    1. Under Rules, click Add Destination.
    2. In the Destination Name field, enter the desired destination name.

    3. In the Destination Host field, enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.
    4. In the Proxy Gateway field, enter the FortiGate access IP address and port in the same format.
    5. From the Mode dropdown list, select Transparent.
    6. Enable or disable encryption. By default, encryption is disabled. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic is already encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is unencrypted.
    7. Enable or disable User External Browser as User-agent for Saml User Authentication. When you enable this feature, FortiClient presents a SAML authentication request to the end user in a web browser for traffic that is eligible for this rule.
    8. Click Save.
  8. Repeat the steps to configure multiple destinations for this profile as desired, then click Save.

Related Videos

sidebar video

Provisioning ZTNA TCP forwarding rules via EMS

  • 1,286 views
  • 1 years ago

ZTNA Destinations

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. See Zero Trust Network Access for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you must define ZTNA destinations as follows.

You can configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint policy.

To add a ZTNA destination:
  1. Go to Endpoint Profiles > ZTNA Destinations.
  2. Click Add.
  3. Click Advanced.
  4. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

  5. In the Name field, enter the desired name.
  6. If desired, enable Allow Personal Destinations. This feature allows end users to configure personal ZTNA destinations.
  7. Add a destination:

    1. Under Rules, click Add Destination.
    2. In the Destination Name field, enter the desired destination name.

    3. In the Destination Host field, enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.
    4. In the Proxy Gateway field, enter the FortiGate access IP address and port in the same format.
    5. From the Mode dropdown list, select Transparent.
    6. Enable or disable encryption. By default, encryption is disabled. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic is already encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is unencrypted.
    7. Enable or disable User External Browser as User-agent for Saml User Authentication. When you enable this feature, FortiClient presents a SAML authentication request to the end user in a web browser for traffic that is eligible for this rule.
    8. Click Save.
  8. Repeat the steps to configure multiple destinations for this profile as desired, then click Save.