The proxy server can be accessible via a FortiClient that has configured an EMS tag and a ZTNA TCP forwarding access proxy.

The following configuration steps must be taken.

1. Configure FortiGate as a ZTNA TCP forwarding access proxy and set up its EMS tag configuration by referring to the steps in ZTNA TCP forwarding access proxy - FortiGate administration guide.
   

config firewall VIP

edit "ClientProxy-HTTPs"

set uuid 8987ac22-8d2f-51ee-fb62-87811c9b2af4

set type access-proxy

set extip 10.10.0.1

set extintf "port3"

set server-type https

set extport 8443

config firewall proxy-policy

edit 1

set uuid fa63ee1a-8d2a-51ee-43fa-222943580e0d

set name "ExplicitWebProxy-via-ZTNA"

set proxy access-proxy

set access-proxy "ClientProxy-HTTPs"

set srcintf "outside"

set srcaddr "all"

set dstaddr "all"

set ztna-ems-tag "EMS_ZTNA_all_clients"

set action accept

set schedule "always"

set logtraffic all

config firewall access-proxy

edit "ClientProxy-HTTPs"

set vip "ClientProxy-HTTPs"

set client-cert enable

config api-gateway

edit 1

set url-map "/tcp"

set service tcp-forwarding

config realservers

edit 1

set address "10.10.2.239_Webproxy_IP" <- External FortiProxy interface IP.

set mappedport 8443

next

end

next

end

next

2. The FortiClient proxy IP must be the ZTNA server IP along with the same port mapped on FortiGate.

FortiClient ZTNA destination:

The client machine proxy settings and the IP must be configured to match the ZTNA destination host IP:

3. Complete the FortiProxy explicit webproxy configuration by following the admin guide:
   
   Explicit webproxy configuration.
   
   
4. If an L3 device is between FortiGate and FortiProxy, static route configuration is required for the ZTNA server IP/FortiProxy interface.

From FortiOS v7.4.1,  FortiGate supports ZTNA proxy for UDP traffic as well. Refer to the below doc for more details.

https://docs.fortinet.com/document/fortigate/7.6.0/new-features/843330/ztna-support-for-udp-traffic