Basic ZTNA Deployment | Guarantee Access to the RDP Server

Question

Dear Sirs,

I am attempting to implement a basic ZTNA to secure RDP access on port 3389 for remote access and IP/MAC-based access control for local access.

After following all the step-by-step configuration of the solution with the following scenario:

ZTNA: FortiGate v7.4.8 + FortiClient EMS v7.4.4 + FortiClient agent 7.2.2

FortiGate FG-80F: 192.168.254.99
WAN1: 189.x.x.x (primary)
FortiClient EMS: 192.168.254.106
Desktop Windows 11 Endpoints (FortiClient 7.2.2): DHCP 192.168.22.10.x
Internal RDP Server: 192.168.254.101

1. Forticlient EMS is connected to Security Fabric connectors
2. Zero Trust tags created - Secure_Endpoint
2.1. Created ZTNA Server (Access Proxy) — TCP Forwarding (RDP)
2.2. Created Service / Server mapping - TCP Forwarding 192.168.254.101:3389
3. Created ZTAN Rules and associated with EMS tags
4. Created Policy & Objects → Firewall Policy - Fortigate
5. Installed and configured FortiClient endpoint (7.2.2) and registered in EMS

However, when performing tests, the Windows 11 Desktop Endpoints (FortiClient 7.2.2) is not connected to RDP.

I don't understand what is wrong with the configurations.

zukanlu3 · Answer

There was is a design change to implement support for IP Pool in ZTNA rules (new Feature ID 777675). This design change will not allow access to FortiGate (HTTPS and SSH) via ZTNA Access proxy because Local Services are not allowed to be proxied. If an HTTPS type of Access Proxy is used, a replacement message will be presented '403 Forbidden: incorrect proxy service'

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded