Dear All
I'm using FortiOS 7.4, Forticloud EMS 7.2, and Forticlient 7.2.2
I have problem to access internal http/s service/server's that are mapping in ZTNA server Fortigate and listed in ZTNA destination EMS.
I follow this guide ; https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/708477/mapping-ztna-virtual-...
I try to access internal domain name from internet with URL https://hris.br.bayangroup.net and https://ems.br.bayangroup.net, and the error from Forticlient endpoint are :
Error Code: 022
Error Message: The page you requested has been blocked because the real server in the API gateway cannot be found.
Certificate Information: No end-point info found. Client certificate is provided.
This is my relevant FortiOS config :
config firewall vip
edit "ZTNA-ISP1"
set type access-proxy
set server-type https
set extip xx.xx.xx.xx
set extintf "port1"
set extport 443
set ssl-certificate "Wildcard_certificate_EXP_2023"
next
config firewall access-proxy-virtual-host
edit "auto-ZTNA-ISP1-0"
set ssl-certificate "Wildcard_certificate_EXP_2023"
set host "hris.br.bayangroup.net"
next
edit "auto-ZTNA-ISP1-1"
set ssl-certificate "Wildcard_certificate_EXP_2023"
set host "ems.br.bayangroup.net"
next
end
config firewall access-proxy
edit "ZTNA-ISP1"
set vip "ZTNA-ISP1"
set add-vhost-domain-to-dnsdb enable
config api-gateway
edit 1
set service http
set virtual-host "auto-ZTNA-ISP1-0"
config realservers
edit 1
set ip 10.1.100.38
set port 80
next
end
next
edit 2
set virtual-host "auto-ZTNA-ISP1-1"
config realservers
edit 1
set ip 10.1.1.57
next
end
config firewall proxy-policy
edit 1
set name "ZTNA01-Pol"
set proxy access-proxy
set access-proxy "ZTNA-ISP1"
set srcintf "upg-zone-port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
next
How to access my internal protected resources by FQDN ?
Please kindly help
cant tell exactly without the logs but error indicate some issue between your fortigate and ems as there is no endpoint record found. Did you try to recreate security fabric or verify your EMS cert again ? You should see endpoint record in your FGT when lunch di endpoint record list via cli..
maybe you can open ticket with TAC to speedup troubleshooting ? Do you know that you can call in support number to get immediate assistance on such issues?
Pavol
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.