If my proxy gateway is listening on port 9443 and the destination host is listening on 443, do I need to point my browser at https://example.com:9443 ? When I simply do https://example.com it doesn't work - I need to add 9443. I thought that FCT would append the 9443 to make it easier for the user... Thoughts ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In ZTNA you enter in your browser the address and port of the target server, in your case you use https://server:443, and the proxy does the job by proxying the traffic to FGT-Pub-IP:9443.
Good morning, thanks for helping me out.
Let me clarify:
ZTNA Proxy Gateway
Destination Host
10.99.99.7:443
What needs to go in the browser ?
What entry should go into public DNS ?
In your browser you enter https://10.99.99.7:443
In public DNS you need to define www.mypublicsite.com with its public IP.
My EMS config looks correct, pushed down to client. My ZTNA config on the gate looks correct as well. When I point my browser to https://10.99.99.7:443 it properly sends traffic on port 9443 and hits the ZTNA rule. The auth on the rule works as well. I see the internal two-way traffic between the gate and server on port 443. However, the page is never displayed and I have tried different web servers. Any other advice ?
On FG, ZTNA server config, can you try TCP Forwarding instead of HTTPS?
It does work when doing TCP forwarding to 443...I think I must be running into certificate/DNS issues.
Public Proxy Gateway IP = x.x.x.x
Public Proxy Gateway FQDN = vpn.myztna.com
Real Destination Host IP = 10.99.99.7
My client currently has a FQDN entry in local hosts file like this:
vpn.myztna.com - 10.99.99.7
My client has root certs that trust the certs of both the Proxy Gateway and the Real Webserver. (Note the real webserver is a FortiManager VM).
Any ideas where this may be breaking ? Does the same cert need to be installed on both the Proxy Gateway and the Real Server (FMG)?
Happy to hear that it works.
In my last integration I also used TCP forwarding since HTTPS didn't work for me (I still don't know why). But I don't remember if the proxy certificate is the one used when you use TCP forwarding instead of HTTPS.
Anyway, on your browser when you open the page you can check which certificate is seen by the client.
Really want to get to the bottom of why this doesn't work - it should. The certificate installed on the proxy gateway is the same as the one installed on the real webserver. The client trusts this certificate. The client properly resolves the name to the IP of the real server. Packet capture between the gate and the real webserver shows two way traffic on port 443.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.