Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎05-16-2024 10:24 PM

Article Id 315538

Technical Tip: Connect to Remote Desktop Server (RDS) farm over ZTNA Access Proxy

Description

 

This article describes the configuration to make an RDP connection into a server in the RDS (Remote Desktop Server) farm over the ZTNA Access Proxy.

 

Scope

 

FortiGate, FortiClientEMS, FortiClient.

 

Pre-requisites:

  1. FortiClient EMS is connected to the FortiGate.
  2. FortiClient is connected to the EMS server.

 

Solution

 

Topology:

TOPOLOGY.png

 

 

  1. Configure a ZTNA server: Navigate to Policy & Objects -> ZTNA select the ZTNA Servers tab and select 'Create New'.


1.png

 

  1. Add server mapping:
  • In Service/server mapping table, select 'Create New'.
  • Set Service to TCP-forwarding.
  • Set Virtual Host to Any Host or Specify.
  • In the server section, add the IP addresses of the RDS server AND all the servers behind it.

 

2.png

 IP-range.png

 

ZTNA Server and Access Proxy VIP in CLI:


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
config firewall address
    edit "ZTNA-RDS-Addresses"
        set uuid 61e438e4-0f06-51ef-8656-8c43798f7972
        set type iprange
        set start-ip 192.168.0.80
        set end-ip 192.168.0.83
    next
end
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
config firewall VIP
    edit "ZTNA-RDS"
        set uuid 68158af6-0f06-51ef-0a1c-b4b42e35f185
        set type access-proxy
        set extip 172.17.97.169
        set extintf "wan1"
        set server-type https
        set extport 7443
        set ssl-certificate "Fortinet_SSL"
    next
end

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

config firewall access-proxy

    edit "ZTNA-RDS"

        set vip "ZTNA-RDS"

        config api-gateway

            edit 1

                set url-map "/tcp"

                set service tcp-forwarding

                config realservers

                    edit 1

                        set address "ZTNA-RDS-Addresses"

                        set mappedport 3389

                    next

                end

            next

        end

    next

end

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

  1. Configure a ZTNA proxy policy –


config firewall proxy-policy

    edit 7

        set uuid d5b0bbfe-13ab-51ef-7c24-af9f2a719f2b

        set name "To-RDS"

        set proxy access-proxy

        set access-proxy "ZTNA-RDS"

        set srcintf "wan1"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

    next

end

 

  1. Configure ZTNA destinations on the FortiClient: This can be done from the EMS and pushed to all the FortiClients, however, for this document purpose, it is done directly on the FortiClient application which is connected to the EMS server.

 

4.png

 

Explanation:
Why ZTNA destination rules should have all the end servers along with RDS server?

The reason is present in how the RDS farm handles the incoming RDP sessions and transfers them to the available server.

Once the RDS server receives an RDP session request from a client, it prompts for authentication and will also find a server to transfer the session to. Once the authentication is completed, the session to the RDS server is closed and a new session is created from the client towards the end server IP.

The packet capture below shows an example of packet capture when ZTNA destination rules for end servers (192.168.0.81, 192.168.0.82, and 192.168.0.83) were not configured.

As visible, after closing the connection with the RDS server, the client (192.168.107.98) is trying to connect to 192.168.0.81 but not getting any replies.

 

49026 2024-04-01 11:07:36.287621 192.168.107.98 50.173.241.219 TCP 54 2792705667 3389 2355359739 54782  3389 [RST, ACK] Seq=2792705667 Ack=2355359739 Win=0 Len=0  <----- Session to RDS closed.

49692 2024-04-01 11:07:43.518057 192.168.107.98 192.168.0.81 TCP 66 811665075 3389 0 54788 → 3389 [SYN] Seq=811665075 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1  <-----New session is created to real server 192.168.0.81.

49791 2024-04-01 11:07:44.518552 192.168.107.98 192.168.0.81 TCP 66 811665075 3389 0 [TCP Retransmission] [TCP Port numbers reused] 54788 → 3389 [SYN] Seq=811665075 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 <----- No replies coming back thus retransmissions. 

50013 2024-04-01 11:07:46.518676 192.168.107.98 192.168.0.81 TCP 66 811665075 3389 0 [TCP Retransmission] [TCP Port numbers reused] 54788 → 3389 [SYN] Seq=811665075 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

However, once the required ZTNA destinations are configured, this traffic will be intercepted by the ZTNA Access Proxy and sent to configured destinations.

Related document:
Basic ZTNA configuration

1790
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.