How to setup Fortinet ZTNA Access Proxy (ZTNA Setup)

Подписаться 1,3 тыс.

Просмотров 21 тыс.

50% 1

Hello everyone!
In this video I am going to show you Fortinet ZTNA Proxy!
Previous Video on ZTNA: • How to use Fortinet Ze...
Follow me on Instagram! / emerychad
Links:
ZTNA : docs.fortinet.com/document/fo...
FortiEMS Trial : www.fortinet.com/demand/gated...
FortiEMS Requirements: docs.fortinet.com/document/fo...

Наука

Опубликовано:

4 мар 2022

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 16

@tbits01 9 месяцев назад

Working on setting this up now! This is super helpful so thank you!!!

@maryamjalalian1653 2 года назад

Great video with details about setting up ZTNA and points to pay attention prior to setting up ZTNA and the topology . Thanks Chad

@ChadEmery 2 года назад

Always happy to help!

@xiuhuazhai1168 10 месяцев назад

Great Video Chad!! straight to the point. one question, did you have any agent software, like Forticlient, installed on your workstation? so it can report the workstation status to the EMS server

@ChadEmery 10 месяцев назад

Yes, FortiClient is needed to make this seamless. Thank you for learning with me!

@ramishakhan4107 2 года назад

Hey Chad, thanks for the video. - I have a question, if an endpoint is on public internet, how would it know which public ip (external ip) to hit while trying to access our internal resources. Do we have to do some specific configuration for this on the forticlient or somewhere else? - in our environment EMS is on premises (in DMZ zone), do we need to NAT its internal ip on the outside? Thanks again for your video.

@ChadEmery 2 года назад

You would want to use dns to map your public IP to your external IP, if you can. Otherwise users would have to know that IP to type it in. There is a way through policy to extend that info to forticlient so when a user tries to access a remote resource it know what public IP to use. I didn’t show that in the video but that is possible and can be setup via ems. This is known as TCP forwarding rules. You can find documentation on fortinets support page for ZTNA. Your second question is correct. You would ideally setup a vip for the ems server to register to remotely so users can sync tags on demand. I hope this was helpful!

@jolyntoh7533 5 месяцев назад

Currently working on this set up too but I am facing the issue of “403 Foribidden: incorrect proxy service was requested The web server reported that an error occured while trying to access the website. Please return to the previous page. URL ….”Do you have any idea how to resolve this issue?

@ciaica593 2 года назад

There was lots of ZTNA bugs resolved between 7.0.2 and 7.0.3 on the Forticlient. I spent a few weeks with support working these out.

@ChadEmery 2 года назад

That’s why I tried the upgrade first to fix my issues but even that didn’t do it. I do want to add for others to see. Make sure your FortiClient has the ZTNA certificate permission if you deploy a custom install package. Otherwise the client will never ask to agent to authenticate.

@siva140988 Год назад

Is there any labs provided by Forti? Paid or free

@usamasafdar6053 2 года назад

Hey Chad. New subscriber here. Loved the video. I am doing a ZTNA setup for the first time for a client. Can you please clarify 1. How an endpoint which is not on the same LAN network as the EMS & Fortigate able to connect to the internal resources ? 2. If I am not wrong, ZTNA Server external IP is the Public IP of the Firewall ? 3. Why did you create multiple ZTNA servers ? Just to map the services or was there any other difference as well. Keep up the good work and would really appreciate if you can do a video on configuration of Forticlient EMS as well. Thanks.

@ChadEmery 2 года назад

Your 2nd question is correct and pretty much answers the first. The Fortigate acts as a proxy to handle the connections to the LAN and the remote end user. The Fortigate will respond to requests on behalf of the local resources like a normal proxy server would. You could setup a DNS record with the public IP to make things easier for end users. As far as the last question I had a ton of issues getting it to work so the second proxy server was just for testing. You could setup just one and through policy achieve the desired results. I hope this was helpful and thank you for watching and subscribing!

@usamasafdar6053 2 года назад

@@ChadEmery Thanks Chad. I was able to resolve many issues thanks to you. Also do we have to have multiple external IP addresses to configure ZTNA servers or is there a way to distinguish them if we have one external IP. And the URL you used "firewall1", any specific reason to use that ?

@ChadEmery 2 года назад

@@usamasafdar6053 You can setup one access server and use policy to differentiate between internal services. The example was supposed to show that via the url /firewall I could reach a certain firewall and then map others that way but unfortunately that didn’t work and isn’t the suggested way of doing it so I apologize for the confusion there. A better way to map multiple resources is through the use of external ports or setup TCP rules via fortiems. If you look through the documentation on their site there is good information on achieving this.