Technical Tip: ZTNA Agentless web portal with multi-factor authentication

This guide provides a step-by-step procedure to configure a ZTNA agentless web portal secured with FortiToken-based MFA using local user or remote LDAP authentication. The ZTNA agentless web portal enables users to securely access protected internal resources using only a standard web browser, without installing a ZTNA agent on the client device.

In this example, the remote ZTNA client successfully resolves the FQDN "ztna.fortilab.local" to the FortiGate IP address 10.5.147.78.

Step 1.a. (local authentication): Create a local user named 'localtoken', enable FortiToken as the second authentication factor, and add the user to a firewall user group named 'local-fgt-users'.

config user local
    edit "localtoken"
        set type password
        set two-factor fortitoken
        set fortitoken "FTKMOBXXXXXXX"        <----- Assign an available FortiToken.
        set email-to "user.email@contoso.com" <----- Select the user's email.
        set passwd <PASSWORD>
    next
end

Step 1.b (remote LDAP authentication): Configure an LDAP server according to the environment. Ensure the service account has sufficient permissions to query user and group objects in the directory. 

config user ldap

    edit "ldap-fortiad"

        set server "10.15.19.81"

        set cnid "samaccountname"

        set dn "dc=fortiad,dc=local"

        set type regular

        set username "FORTIAD\\ldap-fgt"

        set password <PASSWORD>

        set group-search-base "CN=Users,DC=fortiad,DC=local"

    next

end

Note: This example uses LDAP over cleartext (TCP 389) for demonstration purposes. In production environments, it is strongly recommended to configure LDAPS (LDAP over SSL/TLS) to ensure encrypted communication between the FortiGate and the directory server: Technical Tip: Difference between LDAP vs LDAPS.

After configuration, verify LDAP connectivity and user authentication using the following diagnostic command:

diagnose test authserver ldap <LDAP-SERVER-NAME> <LDAP-USER> <LDAP-USER-PASSWORD>

Create a remote LDAP user 'ad-user1' and enable an available FortiToken as the second authentication factor.

config user local
    edit "ad-user1"
        set type ldap
        set two-factor fortitoken
        set fortitoken "FTKMOBXXXXXXX"       <----- Assign an available FortiToken (FortiToken Mobile).
        set email-to "ad-user1@mail.com"     <----- Select user's email.
        set ldap-server "ldap-fortiad"
    next
end

Note: This example uses FortiToken Mobile. When the FortiGate administrator assigns a token for the first time (FortiToken Mobile), the user will receive an activation code via email (see the Token Activation).

Step 2: Create a local group that includes the previously created remote LDAP user 'ad-user1' or the FortiGate local user 'localtoken'.

config user group
    edit "local-fgt-users"
        set member "ad-user1"
    next
end

config user group
    edit "local-fgt-users"
        set member "localtoken"
    next
end

Step 3: Create a VIP of type access-proxy to handle incoming ZTNA agentless web portal connections on TCP/2587.

config firewall vip
    edit "ZTNA-agentless"
        set type access-proxy
        set server-type https
        set extip 10.5.147.78
        set extintf "port1"
        set client-cert disable
        set extport 2587
        set ssl-certificate "Fortinet_Factory"
    next
end

Step 4: Define a virtual host that represents the FQDN ('ztna.fortilab.local') used to access the ZTNA web portal.

config firewall access-proxy-virtual-host
    edit "ztna-web-portal-fqdn"
        set ssl-certificate "Fortinet_Factory"
        set host "ztna.fortilab.local"
        set client-cert disable
    next
end

Note: It is recommended to use a trusted certificate matching the FQDN 'ztna.fortilab.local' instead of the default 'Fortinet_Factory' certificate.

Step 5: An authentication scheme with the method 'form' is mandatory to support FortiToken MFA. The option "require-tfa" should also be enabled to include a token prompt in the firewall authentication login. Configure an authentication scheme and rule as in the example below:

config authentication scheme
    edit "ztna-web-portal-form"
        set method form
        set require-tfa enable
        set user-database "local-user-db"
    next
end

config authentication rule
    edit "ztna-web-portal-rule"
        set protocol ztna-portal
        set ip-based disable
        set active-auth-method "ztna-web-portal-form"
        set web-auth-cookie enable
    next
end

If LDAP authentication is selected as the method (as per Step 1.b.), configure the authentication rule to use the LDAP server as the user database: 

config authentication scheme
    edit "ztna-web-portal-form"
        set method form
        set require-tfa enable
        set user-database "ldap-fortiad"    <---- Select LDAP Server name created in Step 1.b 
    next
end

Step 6: Configure the ZTNA web portal using the previously configured VIP, virtual host, and authentication rule.

To trigger the authentication portal, ensure that the 'auth-portal' option is enabled.

config ztna web-portal
    edit "ztna-web-portal"
        set vip "ZTNA-agentless"
        set host "ztna-web-portal-fqdn"
        set auth-portal enable
        set auth-virtual-host "ztna-web-portal-fqdn"
        set auth-rule "ztna-web-portal-rule"
    next
end

Step 7: Define the bookmarks for internal resources, such as WEB, SSH, or RDP:

config ztna web-portal-bookmark
    edit "bookmarks"
        set groups "local-fgt-users" <----- Configure the group that contains the users with FortiToken assigned.
            config bookmarks

                edit "ssh"

                    set apptype ssh
                    set host "10.15.19.81"
                next
            end

    next

end

Step 8: Configure a proxy policy to allow access to the ZTNA web portal:

config firewall proxy-policy
    edit 1
        set name "ZTNA-web-portal"
        set proxy ztna-proxy
        set ztna-proxy "ztna-web-portal"
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

Testing and validation:

1. From a remote client, open a web browser and navigate to 'https://ztna.fortilab.local:2587'.
2. The ZTNA web portal login page is displayed.
3. Select Login.
4. Enter the local username or LDAP username, password, and FortiToken OTP code.
5. Upon successful authentication, the ZTNA web portal is displayed with the configured bookmarks.

Notes:

For 'apptype web' to work, define FQDN under 'config ztna web-portal-bookmark' configuration.

• The FortiGate must resolve the FQDN to the internal web server’s IP address.
• The client workstation must resolve the same FQDN to the FortiGate external IP address used for ZTNA access, which may require updating the Windows host file.

Configuration example:

config ztna web-portal-bookmark

    edit "bookmarks"

        set groups "local-fgt-users"

            config bookmarks

                edit "URL_HTTPS"

                    set url "https://example.com"

                next

            end

    next

end

Related documents:

ZTNA agentless web-based application access 

Technical Tip: How to configure ZTNA Session Based Authentication with MFA token 
Technical Tip: ZTNA Agentless with SAML authentication (Entra ID)