How to setup Fortinet ZTNA Access Proxy (ZTNA Setup)

Рет қаралды 23,832

Күн бұрын

Пікірлер

@maryamjalalian1653 2 жыл бұрын

Great video with details about setting up ZTNA and points to pay attention prior to setting up ZTNA and the topology . Thanks Chad

@ChadEmery 2 жыл бұрын

Always happy to help!

@tbits01 Жыл бұрын

Working on setting this up now! This is super helpful so thank you!!!

@julio_alvarado 4 ай бұрын

This video was greaty, but you skip the beginning of connecting the EMS to your Firewall first. Great Job!

@ciaica593 2 жыл бұрын

There was lots of ZTNA bugs resolved between 7.0.2 and 7.0.3 on the Forticlient. I spent a few weeks with support working these out.

@ChadEmery 2 жыл бұрын

That’s why I tried the upgrade first to fix my issues but even that didn’t do it. I do want to add for others to see. Make sure your FortiClient has the ZTNA certificate permission if you deploy a custom install package. Otherwise the client will never ask to agent to authenticate.

@siva140988 Жыл бұрын

Is there any labs provided by Forti? Paid or free

@jolyntoh7533 11 ай бұрын

Currently working on this set up too but I am facing the issue of “403 Foribidden: incorrect proxy service was requested The web server reported that an error occured while trying to access the website. Please return to the previous page. URL ….”Do you have any idea how to resolve this issue?

@xiuhuazhai1168 Жыл бұрын

Great Video Chad!! straight to the point. one question, did you have any agent software, like Forticlient, installed on your workstation? so it can report the workstation status to the EMS server

@ChadEmery Жыл бұрын

Yes, FortiClient is needed to make this seamless. Thank you for learning with me!

@usamasafdar6053 2 жыл бұрын

Hey Chad. New subscriber here. Loved the video. I am doing a ZTNA setup for the first time for a client. Can you please clarify 1. How an endpoint which is not on the same LAN network as the EMS & Fortigate able to connect to the internal resources ? 2. If I am not wrong, ZTNA Server external IP is the Public IP of the Firewall ? 3. Why did you create multiple ZTNA servers ? Just to map the services or was there any other difference as well. Keep up the good work and would really appreciate if you can do a video on configuration of Forticlient EMS as well. Thanks.

@ChadEmery 2 жыл бұрын

Your 2nd question is correct and pretty much answers the first. The Fortigate acts as a proxy to handle the connections to the LAN and the remote end user. The Fortigate will respond to requests on behalf of the local resources like a normal proxy server would. You could setup a DNS record with the public IP to make things easier for end users. As far as the last question I had a ton of issues getting it to work so the second proxy server was just for testing. You could setup just one and through policy achieve the desired results. I hope this was helpful and thank you for watching and subscribing!

@usamasafdar6053 2 жыл бұрын

@@ChadEmery Thanks Chad. I was able to resolve many issues thanks to you. Also do we have to have multiple external IP addresses to configure ZTNA servers or is there a way to distinguish them if we have one external IP. And the URL you used "firewall1", any specific reason to use that ?

@ChadEmery 2 жыл бұрын

@@usamasafdar6053 You can setup one access server and use policy to differentiate between internal services. The example was supposed to show that via the url /firewall I could reach a certain firewall and then map others that way but unfortunately that didn’t work and isn’t the suggested way of doing it so I apologize for the confusion there. A better way to map multiple resources is through the use of external ports or setup TCP rules via fortiems. If you look through the documentation on their site there is good information on achieving this.

@ramishakhan4107 2 жыл бұрын

Hey Chad, thanks for the video. - I have a question, if an endpoint is on public internet, how would it know which public ip (external ip) to hit while trying to access our internal resources. Do we have to do some specific configuration for this on the forticlient or somewhere else? - in our environment EMS is on premises (in DMZ zone), do we need to NAT its internal ip on the outside? Thanks again for your video.

@ChadEmery 2 жыл бұрын

You would want to use dns to map your public IP to your external IP, if you can. Otherwise users would have to know that IP to type it in. There is a way through policy to extend that info to forticlient so when a user tries to access a remote resource it know what public IP to use. I didn’t show that in the video but that is possible and can be setup via ems. This is known as TCP forwarding rules. You can find documentation on fortinets support page for ZTNA. Your second question is correct. You would ideally setup a vip for the ems server to register to remotely so users can sync tags on demand. I hope this was helpful!