Technical Tip: Unable to access ZTNA Agentless web-based bookmarks

ZTNA agentless web-based application allows remote access to internal applications without the need for FortiClient or client certificate checks. In this scenario, a web portal named 'ZTNA Web' was created with a bookmark to access an HTTP server at 'http://dc.fortiad.local:80'.

The configuration is available only through the FortiGate CLI:

config ztna web-portal-bookmark

    edit "ZTNA web"

        config bookmark

            edit "http-dc"
                set url "http://dc.fortiad.local:80"
            next

        end

    next

end

After client authentication on the ZTNA agentless web portal, users can select 'http-dc' to access the HTTP resource. FortiGate redirects the client to the following address:

https://web-portal.fortilab.local:23443/remote/web_service?sessionid=00000000&bmtype=portal&bmgroup=ZTNA%20web&bmname=http-dc

However, the connection fails, and the client receives an 'ERR_CONNECTION_CLOSED' error.

Use the following WAD CLI debug commands to gather more information (replace 'x.x.x.x' with the remote client's public IP address):

diagnose debug reset

diagnose wad filter src x.x.x.x

diagnose wad debug enable category http

diagnose debug enable

• If the 'ztna-web-portal-bookmark' contains spaces in its name (for example, 'ZTNA web'), it causes an invalid URL error when building the HTTP response. Consequently, the client will receive the 'ERR_CONNECTION_CLOSED' error. The WAD debug logs will show an invalid URL error.

• If 'ztna-web-portal-bookmark' has no spaces in the name, it is possible to access the web server via the ZTNA agentless portal. Use the following CLI commands to rename the ZTNA web portal:

config ztna-web-portal-bookmark
rename "ZTNA web" to "ZTNA-web-portal"
end
-------- [wad debugs] --------
[...]
[I][p:18986][s:4964699][r:1955] wad_http_str_canonicalize :2468 end=4 path=sessionid=00000000&bmtype=portal&bmgroup=ZTNA-web-portal&bmname=http-dc
len=82 changes=0
[...]
[V][p:18986][s:4964699][r:1955] wad_http_req_exec_act :13589 response is ready!
-------- [wad debugs] --------

Avoid using spaces in ZTNA web portal feature names, use the '-' or '_' instead: Technical Tip: Naming rules and character restrictions. 

Always stop the debugs:

diagnose debug reset

Notes:

• Configure a local DNS database on the FortiGate so the domain name resolves to the internal web server’s IP address using the 'config system dns-database' settings.
• On the client workstation, ensure the same domain name resolves to the FortiGate’s public ZTNA interface IP. This can be accomplished by manually adding an entry to the hosts file (either /etc/hosts or the Windows hosts file).

Related documents:

ZTNA agentless web-based application access (7.6.1)
Technical Tip: How to configure Agentless ZTNA with FortiGate v7.6