Technical Tip: Agentless ZTNA Access Proxy Portal unable to access internal HTTP/HTTPS resources using ‘apptype web’
Description | This article describes what is required to access internal HTTP/HTTPS resources with 'apptype web'.
|
Scope | FortiGate v7.6.1 and above. |
Solution | Topology: FortiGate-800D (public/external ip: 10.56.241.104) ===IPsec=== Remote-FortiGate === internal-web-server (10.191.1.231). Â Problematic configuration of 'apptype web'. 'https-win-server' is the internal resource of interest: Â  Â Agentless ZTNA Access portal: Â  Â Â The RDP and web server are on the same IP, 10.191.1.231. RDP works, access to a public domain like yahoo.com works, but access to the internal web server via HTTP/HTTPS, where RDP was successful, fails. Â  Â To fix this, a VIP object must be configured in Remote-FortiGate (not the FortiGate-800D, which provides the web-portal web service). This VIP must translate the public IP to the internal IP of the web-server.
 Create the VIP:    Create a firewall policy (in Remote-FortiGate) so that the VIP can be accessed:    Change the configuration of the ZTNA web portal as such:      The web server access has been changed to use the public IP, which is the external IP of the VIP, instead of directly using the internal IP.  The result is that the internal web-server is now accessible via HTTP/HTTPS through the Agentless ZTNA Access Proxy portal:   Traffic will match the proxy-policy in FortiGate-800D and firewall-policy (of VIP) in Remote-FortiGate. To ensure optimal DNS resolution results, see this article: Technical Tip: Unable to access ZTNA Agentless web-based bookmarks. |