FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 291432

This article describes how to access an external web proxy through a ZTNA TCP forwarding access proxy with the FortiClient EMS tag.

Scope Fortigate, FortiProxy, FortiClient 

The proxy server can be accessible via a FortiClient that has configured an EMS tag and a ZTNA TCP forwarding access proxy.


The following configuration steps must be taken.




  1. Configure FortiGate as a ZTNA TCP forwarding access proxy and set up its EMS tag configuration by referring to the steps in ZTNA TCP forwarding access proxy - FortiGate administration guide.


config firewall VIP

edit "ClientProxy-HTTPs"

set uuid 8987ac22-8d2f-51ee-fb62-87811c9b2af4

set type access-proxy

set extip

set extintf "port3"

set server-type https

set extport 8443


config firewall proxy-policy

edit 1

set uuid fa63ee1a-8d2a-51ee-43fa-222943580e0d

set name "ExplicitWebProxy-via-ZTNA"

set proxy access-proxy

set access-proxy "ClientProxy-HTTPs"

set srcintf "outside"

set srcaddr "all"

set dstaddr "all"

set ztna-ems-tag "EMS_ZTNA_all_clients"

set action accept

set schedule "always"

set logtraffic all


config firewall access-proxy

edit "ClientProxy-HTTPs"

set vip "ClientProxy-HTTPs"

set client-cert enable

config api-gateway

edit 1

set url-map "/tcp"

set service tcp-forwarding

config realservers

edit 1

set address "" <- External FortiProxy interface IP.

set mappedport 8443







  1. The FortiClient proxy IP must be the ZTNA server IP along with the same port mapped on FortiGate.

FortiClient ZTNA destination:




The client machine proxy settings and the IP must be configured to match the ZTNA destination host IP:




  1. Complete the FortiProxy explicit webproxy configuration by following the admin guide:

    Explicit webproxy configuration.

  2. If an L3 device is between FortiGate and FortiProxy, static route configuration is required for the ZTNA server IP/FortiProxy interface.