FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
kyoneda1
Staff
Staff
Article Id 318880
Description This article describes how to implement ZTNA Destination in FortiClient EMS for ZTNA TCP forwarding.
Scope FortiClient, FortiClient EMS.
Solution

Starting with v7.0.4 and FortiClient v7.0.3, it is possible to leverage ZTNA TCP Forwarding Access Proxy rules to connect to internal resources without needing a VPN connection.

 

This article can be configured with FortiClient EMS instead of FortiClient settings in the administration guide below.

The display format of ZTNA Destination in the FortiClient EMS GUI differs between 7.0 and 7.2.

This article provides example configurations for each version:

ZTNA TCP forwarding access proxy example

 

The topology is as below:

 

topology.png

 

To create a ZTNA Destination in FortiClient EMS v7.0:

 

  1. Go to Endpoint Profiles -> ZTNA Destinations tab, select Add, or select the profile.
  2. On the Destinations Grouped by Gateway, select Add.
  3. Set the Destination Name to SSH-FAZ. This is the name as it is listed in ZTNA DESTINATION in the FortiClient console.
  4. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.
  5. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.
  6. Select Save, and Save again on the ZTNA Destinations Profile. Apply the created profiles to policies as needed.

ems70-1.png

 

To create a ZTNA Destination in FortiClient EMS v7.2.0, v7.2.4:

 

  1. Go to Endpoint Profiles -> ZTNA Destinations tab, select Add, or select the profile.
  2. On the Destinations Grouped by Gateway, select Add.
  3. Set Enter gateway proxy address to 10.0.3.11:8443.
  4. Set Alias to SSH-FAZ. This is the name as it is listed in this profile.
  5. Select Next.

ems72-1.png

 

   6. Select Add.

   7. Set the Private Application Name to SSH-FAZ. This is the name as it is listed in ZTNA DESTINATION in the FortiClient console.

   8. Set Destination to 10.88.0.2:22. This is the real IP address and port of the server.

   9. Select Next the SaaS Application displayed, and select Finish. 


ems72-2.png

 

  10. Select Save on the ZTNA Destinations Profile. Apply the created profiles to policies as needed.

 

To confirm that ZTNA Destination configurations in FortiClient:

 

   1. Go to the ZTNA Destination tab in the FortiClient console.

   2. Confirm that the configurations are as shown below.

 

fct-1.png