Fortigate ZTNA forward authentication to backend server

Forum|Forum|2 years ago
June 19, 2023
1 reply
1780 views

Hi,

I am quite new to fortigate and ZTNA. But anyway I got a fortigate and a FortiEMS set up, they are connected through fabric.
I have set up a ZTNA Server and have TCP forwarding to some RDP servers. It works even though only running TCP is killing the Terminal Server performance.
So to the problem, I am trying to set up a reverse web proxy against an internal server where I need to pass authentication. So I tried to make create a authentication schema and I get the prompt and I am authenticated but it is never passed to the backend server. So my question is, is this at all possible?

The backend server is a common IIS with Negotiate and NTLM as authentication.
my goal is to expose this server to the internet and in best case have a transparent authentication of the logged in user in the windows client all the way trough the reverse proxy into the internal server.
I have done it with TCP forwarding of port 443 but a reverse web proxy is probably a better choice if possible.

Any input is appreciated

Best answer by Faiza_Emam_Delhi

Hello,

Yes, it is possible to set up a reverse web proxy against an internal server and pass authentication to the backend server. To achieve this, you will need to configure the FortiGate to forward authentication requests to the backend server.

Here are the steps to configure FortiGate ZTNA forward authentication to backend server:

1. Create an authentication schema that matches the authentication method used by the backend server (Negotiate and NTLM).

2. Create a virtual server that listens on the appropriate port (80 or 443) and uses the authentication schema.

3. Configure the virtual server to forward requests to the backend server.

4. Enable authentication forwarding on the virtual server.

5. Test the configuration to ensure that authentication is passed to the b

ackend server.

Faiza_Emam_DelhiAnswer

Visitor III

Hello,

Yes, it is possible to set up a reverse web proxy against an internal server and pass authentication to the backend server. To achieve this, you will need to configure the FortiGate to forward authentication requests to the backend server.

Here are the steps to configure FortiGate ZTNA forward authentication to backend server:

1. Create an authentication schema that matches the authentication method used by the backend server (Negotiate and NTLM).

2. Create a virtual server that listens on the appropriate port (80 or 443) and uses the authentication schema.

3. Configure the virtual server to forward requests to the backend server.

4. Enable authentication forwarding on the virtual server.

5. Test the configuration to ensure that authentication is passed to the b

ackend server.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded