| Description | This article describes the HTTP/HTTPS Proxy used in the ZTNA configuration and what is the difference between them. |
| Scope | FortiGate. |
| Solution |
The attached image displays a simple topology, showing one remote endpoint, FortiGate and the real server or the protected server.
The connection between the remote endpoint and the FortiGate is in an HTTP/HTTPS proxy is always secured and a regular HTTPS connection is formed, just like when we access some websites. The Wireshark capture screenshot attached shows the connection between the IP source 10.5.210.33 and destination 10.5.146.35.
The connection between the FortiGate and the real/protected server is dependent on the type of Service selected, HTTP or HTTPS, as shown in the attached image.
If the Service is HTTP, the <proxy connection> formed by the FortiGate with the server will be using the cleartext HTTP protocol. The Wireshark capture screenshot attached shows the connection between the IP source 172.16.1.1 and destination 172.16.1.3.
And if the Service is HTTPS, the <proxy connection> formed by the FortiGate with the server will be using the HTTPS protocol, which relies on SSL/TLS, and the traffic will be encrypted. The Wireshark capture screenshot attached shows the connection between the IP source 172.16.1.1 and destination 172.16.1.3.
In summary, both ZTNA HTTP and HTTPS access proxy are used to control access to web applications through a FortiGate acting as a secure gateway. The main difference is in how the traffic is handled.
|
