Technical Tip: How to configure ZTNA TCP reverse proxy for SaaS and ISDB services.

msolanki · ‎06-26-2024

Description

This article describes how configure ZTNA TCP reverse proxy for internet-based SaaS services.

Scope

FortiGate, FortiClient EMS, FortiClient.

Solution

Through the ZTNA access proxy, SaaS and ISDB services can be configured along with UTM inspection and inline CASB inspection for cloud-based services.

The following overview diagram shows a setup configured via TCP reverse proxy with ZTNA:

Configure the VIP for access proxy (Can be created in CLI only)

config firewall vip

edit "ZTNA-SaaS-VIP"

set uuid 5b1ea5ac-03d6-51ef-4201-74e68241fbb7

set type access-proxy

set server-type https

set extip 10.10.0.1

set extintf "any"

set extport 443

set ssl-certificate "Fortinet_Factory"

Create the firewall access proxy as below example

config firewall access-proxy

edit "ZTNA-SALEFORCE-Access-Proxy"

set vip "ZTNA-SaaS-VIP"

config api-gateway

edit 1

set url-map "/saas"

set service saas

set application "salesforce "

Configure the proxy address for Salesforce to configure in the proxy policy.

config firewall proxy-address

edit "ZTA_SaaS_Salesforce

set uuid b7f148ce-3217-51ef-843e-92f99d1b6c5b

set type saas

set application "salesforce"

Create a proxy policy with the type as ZTNA and allow salesforce application access.

config firewall proxy-policy

edit 1

set uuid 3c5deb8a-322c-51ef-1565-e2bc71d30b2d

set name "ZTA_Salesforce_App"

set proxy access-proxy

set access-proxy "ZTNA-SALEFORCE-Access-Proxy"

set srcintf "port1"

set srcaddr "all"

set dstaddr "ZTA_SaaS_Salesforce" > proxy address object

set action accept

set schedule "always"

Configure ZTNA Destination in Forticlient EMS

In FortiClient EMS, select Endpoint Profiles -> ZTNA Destinations.
Create a new profile/edit an existing profile.
Select Name, then the Advanced option.
Enable the destination option, then select the plus icon.

Destantion .png

New gateway details for the salesforce service can be filled in.

Gateway proxy address-	10.10.0.1:443
Select browser user-agent for SAML login-	Select FortiClient embedded browser
Alias	Salesforce

Select Next.
Under Private Applications, select Next.
Under Applications, select Sales.

salesforce app.png

Select Finish and Save.

The SaaS Destination will be visible in Forticlient once synchronized.

The following is a list of SaaS applications available to in ZTNA SaaS application in ISDB:

MS saas app-grp

adp saas app

box saas app

sap saas app

jira saas app

zoom saas app

adobe saas app

azure saas app

gmail saas app

webex saas app

aws-s3 saas app

citrix saas app

egnyte saas app

github saas app

dropbox saas app

ms-word saas app

youtube saas app

zendesk saas app

docusign saas app

ms-excel saas app

ms-teams saas app

atlassian saas app

workplace saas app

box-upload saas app-acc

confluence saas app

google-web saas app

ms-outlook saas app

salesforce saas app

servicenow saas app

sharepoint saas app

ms-exchange saas app

ms-onedrive saas app

box-download saas app-acc

google-cloud saas app

google-drive saas app

oracle-cloud saas app

google-office saas app

ms-powerpoint saas app

dropbox-upload saas app-acc

gmail-getAttach saas app-acc

dropbox-download saas app-acc

twilio-video-cloud saas app

ms-onedrive-download saas app-acc

ms-outlook-getAttach saas app-ac

Technical Tip: How to configure ZTNA TCP reverse proxy for SaaS and ISDB services.

You are leaving our website