Follow these to move the application from VPN IPsec client-to-site to ZTNA Application with FortiClient EMS.

This procedure needs a fabric configuration between FortiGate and FortiClient EMS.

If a FortiManager application is accessible through a VPN IPsec client-to-site, the following configuration will involve a VPN and a policy allowing the respective traffic.

The topology below illustrates the VPN IPsec client-to-site traffic flow.

Follow the ZTNA traffic flow:

To move this configuration to ZTNA, follow these steps:

1. Create a ZTNA Server on the FortiGate.

1. Use the FortiGate interface address that the client will connect to access the application (proxy address).
2. Try to use a different port from the management port.
3. Map the application using TCP Forwarding and insert the port that the application will be accessible on.

2. Go to the FortiClient EMS server and check if the application was synced with the fabric on Fabric Connectors -> ZTNA Application Catalog. See the screenshot below.

3. Go to the ZTNA Destination profile, select the add button in the Rules Grouped by ZTNA Applications tab, choose the application, and select the Finish button to sync this application with the FortiClient.

4. Select the Save button to save the profile and sync this application with the FortiClient.
   
   
5. Check on the FortiClient if the application was synced.

6. Go to the FortiGate and create a ZTNA policy to allow this traffic.

1. The use of security posture tags can be used if necessary to restrict access as well, but this article does not cover security posture tags.
2. After this, try to access the application through its original IP address https://172.16.1.100.
3. FortiClient will use the FortiGate (192.168.50.1:4443) as a proxy and access the Application.