When this topology is implemented:

The FortiClient Endpoint sends RDP connections to the FortiGate via ZTNA. Upon receiving the traffic, the FortiGate checks if ZTNA access is permitted.

If allowed, it forwards the traffic through the IPsec tunnel. However, it uses the FortiGate external IP address as the source IP, causing the tunnel to drop the packet.

Therefore, it is crucial to implement source NAT and ensure the packet has a source IP address within the local subnet of the VPN.

Unlike typical firewall policies, the proxy policy does not include a NAT option. In this scenario, It is necessary to configure an IP pool with an IP address that is part of the VPN's local subnet and apply this IP pool to the proxy policy. For guidance on creating the IP pool, refer to this KB article: Technical Tip: How to configure SNAT with IP pool

After setting up the IP pool, assign it to the proxy policy using the CLI:

config firewall proxy-policy

    edit {policyid} <----- Replace {policyid} with the ID of the proxy policy that allows traffic to server.

       set poolname {name_IP_pool} <----- Replace {name_IP_pool} with the name of the IP pool that was created. 

    next

end

With this configuration, the FortiGate will use the IP pool range or address for source NAT, enabling connectivity through the VPN interface to the internal virtual server located at a different site.

Related documents:

Using the IP pool or client IP address in a ZTNA connection to backend servers

New features or enhancements