Note: This method requires a deployed FortiClient EMS server as well as licensed FortiClient.

VPN-only FortiClient does not support ZTNA features.

Scenario:

An administrator has created a cloud-hosted website accessible at ‘https://project-194793f2.document360.io/’.

The website has an IP restriction configured that only allows connections from specific public IP addresses, including the external address of the FortiGate (‘Office’).

The following images depict the Document360 website’s IP restriction settings and how to configure access for a specific IP address.

When a user tries to access the project URL ‘https://project-194793f2.document360.io/’ from another IP address using an unmanaged endpoint, they reach a block page.

To allow authorized users to access the resource without connecting to an office VPN, ZTNA TCP forwarding can be used.

In this example, the FortiGate EMS Fabric Connector is already successfully connected, and the FortiClient is already receiving the appropriate tag ‘TESTING’.

FortiGate ZTNA Configuration:

config firewall vip

    edit "Public_Server"

        set type access-proxy

        set server-type https

        set extip 10.21.x.x

        set extintf "port1"

        set extport 11443

        set ssl-certificate "Fortinet_Factory" <-- For best results, a privately signed certificate should be used and the certificate trust imported to the FortiClient endpoint.

    next

end

config firewall access-proxy

    edit "Public_Server"

        set vip "Public_Server"

            config api-gateway

                edit 1

                    set url-map "/tcp"

                    set service tcp-forwarding

                        config realservers

                            edit 1

                                set address "project-194793f2.document360.io"

                                set mappedport 443

                            next

                        end

                next

            end

    next

end

Note: The FortiGate must be able to resolve the domain name ‘project-194793f2.document360.io’.

config firewall proxy-policy

    edit <index>

        set name "Public_server"

        set proxy access-proxy

        set access-proxy "Public_Server"

        set srcintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set ztna-ems-tag " TESTING "

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

FortiClient Settings:
Configure the ZTNA connection rule on FortiClient or FortiClient EMS following these documents: ZTNA Destination or ZTNA Destinations.

Verifying access:

Ensure the ‘TESTING’ tag is showing on the FortiClient and the ZTNA destination has been pushed from EMS with the required profile as above.

A user with the correct FortiClient tags attempts to access the URL https://project-194793f2.document360.io/, and the project is accessible.

Related article:

Technical Tip: How to implement ZTNA TCP forwarding for public-facing servers