dstintf "wan2" is correct it is the hardware port but we configured it software wise as a lan port.
I tried NAT and without NAT without noticing any difference.
For my understanding of how SSL VPN Webmode works, is that the user connects to the fortigate, after he passes the authentication the FortiGate establishes a in my case RDP connection and displays the visual content to the user.
Is that correct?
I this case it would not matter if NAT is Enable or Disable because the Fortigate has direct access to the wan2 interface
Yes, of course, if "wan2" is a LAN port there is no need to NAT the traffic.
In your example, the user's host connects to the FGT, autheticates, and receives an IP address from a static range. Then the host connects via RDP (or the RDP client in the web portal) to the server. The host's source address is from the range "SSLVPN_TUNNEL_ADDR1". The target should know how to route traffic to this subnet.
And yes, you're right, no traffic would suggest the policy is dispensable. You will know for sure after looking at the traffic with 'diag debug flow'.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.