| Description | This article describes a ZTNA access proxy configuration example. |
| Scope | FortiOS, FortiClient. |
| Solution |
This article focuses on a TCP forwarding access proxy configured for RDP connections.
Network Diagram:
In this example, FortiGate has a successful connection with FortiClient EMS, and ZTNA tags are synced to the FortiGate.
EMS is deployed on the Winserver and the same server has port 3389 open for the RDP connection.
Configuration details: On FortiGate, navigate to Policy & Objects -> ZTNA -> ZTNA Server and configure the access proxy VIP for the RDP access:
To configure the mapped port and TCP forwarding to the access proxy VIP, edit Service/Server mapping and configure the settings as follows:
Configuration of access proxy in CLI:
config firewall vip
config firewall access-proxy
The address object for the forwarding server is configured as follows:
Here, a proxy firewall policy with type 'ZTNA' is configured, defining the ZTNA server and destination as the real server address, with ZTNA tags enforced:
On the FortiClient, ZTNA destinations are configured as follows:
On the client PC, navigate to RDP and open the connection for the internal server IP, and successful connection will provide RDP access.
Logs for the successful RDP connection:
Debugging: WAD debug logs can generate too much output and debug lines. It is highly recommended to use as much as filters possible that can narrow down the generated logs by WAD daemon.
diagnose debug disable diagnose deb reset diagnose wad filter clear diagnose debug console time enable diagnose wad filter src x.x.x.x <----- x.x.x.x is the client IP address. diagnose wad filter dport xxx <----- xxx is the destination port in ZTNA configuration. diagnose wad debug enable category all diagnose wad debug enable level verbose diagnose wad filter list diagnose wad debug show diagnose debug enable
To stop WAD debugging:
diagnose debug disable diagnose wad filter clear diagnose debug reset |
