Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MartinPe
New Contributor

Fortigate ZTNA forward authentication to backend server

Hi,

I am quite new to fortigate and ZTNA. But anyway I got a fortigate and a FortiEMS set up, they are connected through fabric.
I have set up a ZTNA Server and have TCP forwarding to some RDP servers. It works even though only running TCP is killing the Terminal Server performance.
So to the problem, I am trying to set up a reverse web proxy against an internal server where I need to pass authentication. So I tried to make create a authentication schema and I get the prompt and I am authenticated but it is never passed to the backend server. So my question is, is this at all possible?

The backend server is a common IIS with Negotiate and NTLM  as authentication.
my goal is to expose this server to the internet and in best case have a transparent authentication of the logged in user in the windows client all the way trough the reverse proxy into the internal server.
I have done it with TCP forwarding of port 443 but a reverse web proxy is probably a better choice if possible.

Any input is appreciated

1 Solution
Faiza_Emam_Delhi
Contributor

Hello,

 

Yes, it is possible to set up a reverse web proxy against an internal server and pass authentication to the backend server. To achieve this, you will need to configure the FortiGate to forward authentication requests to the backend server.

 

Here are the steps to configure FortiGate ZTNA forward authentication to backend server:

 

1. Create an authentication schema that matches the authentication method used by the backend server (Negotiate and NTLM).

 

2. Create a virtual server that listens on the appropriate port (80 or 443) and uses the authentication schema.

 

3. Configure the virtual server to forward requests to the backend server.

 

4. Enable authentication forwarding on the virtual server.

 

5. Test the configuration to ensure that authentication is passed to the b

ackend server.

Thanks & Regards,
Faizal Emam

View solution in original post

Thanks & Regards,Faizal Emam
1 REPLY 1
Faiza_Emam_Delhi
Contributor

Hello,

 

Yes, it is possible to set up a reverse web proxy against an internal server and pass authentication to the backend server. To achieve this, you will need to configure the FortiGate to forward authentication requests to the backend server.

 

Here are the steps to configure FortiGate ZTNA forward authentication to backend server:

 

1. Create an authentication schema that matches the authentication method used by the backend server (Negotiate and NTLM).

 

2. Create a virtual server that listens on the appropriate port (80 or 443) and uses the authentication schema.

 

3. Configure the virtual server to forward requests to the backend server.

 

4. Enable authentication forwarding on the virtual server.

 

5. Test the configuration to ensure that authentication is passed to the b

ackend server.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
Top Kudoed Authors