Skip to main content
systemgeek
systemgeek
Visitor III
April 16, 2025
Solved

Questions around ZTNA setup

  • April 16, 2025
  • 2 replies
  • 1534 views

Trying to understand all of this so I have a few questions around the setup:

  1. I want to do TCP forwarding to support SSH but we use an internal bastion host.  So all users login to the host with their own login and from there can SSH to host in production.  From what I can tell I cannot do host key checking since that would me all users need to login to a single account.
  2. When setting up the ZTNA server one of the questions is the Default Cert.  What cert is that?  If my destination host is jump.example.com would that cert be for *.example.com???  And if so I also need to copy it to the EMS server and tell EMS to push it down to the client????
  3. Lastly,  I am trying to setup ZTNA to use SSO thats connected to our ADFS.  So if I SSH to jump.example.com should I get prompted for SSO login?  At least once in a while?
Best answer by AEK
  1. I don't understand well the concern
  2. "Clients will be presented with this certificate when they connect to the access proxy VIP."
    Ref: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration
    Since ZTNA is built on TLS, when client connects to ZTNA server (FortiGate), it is presented this "default certificate", whatever the backend server it is connecting to. So as per my understanding, this certificate is between FCT and FGT, not between your browser and the backend HTTPS server.
    For HTTPS access proxy, FGT works as a reverse proxy. So as per my understanding, the certificate presented to the web browser should be the configured "default certificate". Ref: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-architecture/19197/ztna-access-proxy
  3. I don't know this one

2 replies

AEK
SuperUser
AEKAnswer
SuperUser
April 19, 2025
  1. I don't understand well the concern
  2. "Clients will be presented with this certificate when they connect to the access proxy VIP."
    Ref: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration
    Since ZTNA is built on TLS, when client connects to ZTNA server (FortiGate), it is presented this "default certificate", whatever the backend server it is connecting to. So as per my understanding, this certificate is between FCT and FGT, not between your browser and the backend HTTPS server.
    For HTTPS access proxy, FGT works as a reverse proxy. So as per my understanding, the certificate presented to the web browser should be the configured "default certificate". Ref: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-architecture/19197/ztna-access-proxy
  3. I don't know this one
AEK
systemgeek
systemgeekAuthor
Visitor III
May 9, 2025

I am just trying to understand which cert to use.  I did see some where that the cert is whats used to encrypt the traffic between the FGT and the client.  This is true for all protocols except SSH.  SSH does its own encryption so the FGT lets the traffic run in clear text.  Meaning the ssh encrypted traffic is not encrypted a second time.

theonlyVishay
theonlyVishay
New Member
September 10, 2025

You need to use a certificate that the client (PC) trust.

For Example:

My company is cola.com.

We have a wildcard certificate *cola.com
I imported the certificate to the firewall and called it wildcard.cola.com

also need to import the CA certificate if it is not in the firewall.

I create a DNS for the VIP used in ZTNA Servers = ztna.cola.com

I use the wildward.cola.com certificate for the ZTNA Servers.

In ZTNA destinations, the proxy gateway is = ztna.cola.com

Systemgeek2
Systemgeek2
New Member
September 10, 2025

I am doing exactly the same thing.  The only change in my env is that our FortiGate is in AWS so the external IP on the FG is not what the internet sees.  So I need to create my own ZTNA Destinations in EMS.

Terms & ConditionsAccessibility statement