| Description |
This article describes what is required to access internal HTTP/HTTPS resources with 'apptype web'. Agentless ZTNA Access Proxy portal is a new feature as of 7.6.1: ZTNA agentless web-based application access 7.6.1 To initiate the configuration for this, please follow this KB ARTICLE: Technical Tip: How to configure clientless ZTNA with FortiGate v7.6 |
| Scope |
FortiGate v7.6.1 and above. |
| Solution |
Topology: FortiGate-800D (public/external ip: 10.56.241.104) –-ipsec— fgt-A -> internal-web-server (10.191.1.231)
Problematic configuration of 'apptype web'. 'https-win-server' is the internal resource of interest:
Agentless ZTNA Access portal:
The RDP and web server are the same IP, 10.191.1.231. RDP works, access to a public domain like yahoo.com works but access to the internal web server via HTTP/HTTPS where RDP was successful, fails.
To fix this, a VIP must be configured. This VIP must translate public IP to the internal IP of the web-server. This has to be done even though the internal IP can be directly accessed. In other words, this VIP must be accessible from a public domain so that it can be accessed through the Agentless ZTNA access proxy portal.
Create the VIP:
Create a firewall policy so that the VIP can be accessed:
Change the configuration of the ZTNA web portal as such:
The web server access has been changed to use the public IP which is the external IP of the VIP instead of directly using the internal IP.
The result is that the internal web-server is now accessible via HTTP/HTTPS through the Agentless ZTNA Access Proxy portal:
 |
