Technical Tip: ZTNA TCP Forwarding Access Proxy (ZTAP) for File Shares (SMB)

Starting with FortiOS 7.0.4 and FortiClient 7.0.3, it is possible to leverage ZTNA TCP Forwarding Access Proxy rules to connect to a file share remotely without the need of a VPN connection.

Reviewing the following document may be helpful to better understand the ZTNA components.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/855420/zero-trust-network-ac...

Configuration Steps.

Exact same steps can be used from other TCP Forwarding configuration examples as per administration guide link below.

The only difference is that port used for SMB is 445.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/101256/ztna-tcp-forwarding-a...

Note.

Starting with FortiClient EMS 7.0.3, ZTNA Connection Rules can also be created via GUI rather than only via XML files.
https://docs.fortinet.com/document/forticlient/7.0.3/ems-administration-guide/543857/ztna-connection...

It is common to map network drives using the file server name. This can also be done starting with FortiClient 7.0.3, which supports FQDN-based ZTNA TCP forwarding services as per documentation below.

FortiClient configuration:

https://docs.fortinet.com/document/forticlient/7.0.3/administration-guide/814327/fqdn-based-ztna-tcp...

FortiGate configuration:

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/166918/ztna-tcp-forwarding-a...

File share can be accessed directly if the full path is known or it can be mapped to a network drive by browsing the file server tree.

In the examples below, 'rds1.colombas.lab' is the private address/real server, and '192.168.10.43' is the external IP address of this FortiGate.

Direct access with full path for file share via 'run' shortcut or 'File Explorer'.

Mapping a network drive.