Fortinet FortiClient/FortiEMS/FortiGate using ZTNA tags to reach RDP server how to guide
ฝัง
- เผยแพร่เมื่อ 14 ธ.ค. 2022
- Fortinet FortiClient/FortiEMS/FortiGate using ZTNA tags and TCP forwarding to reach RDP server how to guide. Demonstration on configuring FortiEMS and FortiGate to use RDP client and TCP forwarding with ZTNA tags to allow or deny remote users to reach internal RDP server.
- วิทยาศาสตร์และเทคโนโลยี
Great video! Thank you for putting out something clear, concise and easy to understand.
I would love to see you do another version of this video with the updated 7.2.5 FortiGate GUI and FortiClient EMS
7.2.1 versions as the interface was changed significantly.
Great presentation!
Great video! Thank you very much.
thank you very much great video
Cool, learned something new, thank you
My friend , this is the best video about Fortinet ZTNA by far, Thanks for sharing such a good content . It is a shame we can't try ZTNA without a license but this video really helps. I have a little question for you, Forticlient EMS must be reached by any client Off-Fabric and On Fabric Right?, so Is it necessary to do a VIP and put it in a DMZ to be reached from any part of the world by the clients and all the forticlients must be pointing to this Public IP? I am not sure about it. Again I appreciate this video , thanks
Yes that is correct, if you are hosting EMS on prem you will need to have it in a DMZ and open the ports listed in the following document: docs.fortinet.com/document/forticlient/7.2.0/ems-quickstart-guide/439480/required-services-and-ports. Also you can download FortiEMS VM image from the support website and that will give you 3 trial licenses that you can test the product out with. GO through the installation of the VM and then skip the licensing part which will activate it as a trial which will get you the 3 free licenses to use and test it out.
Thank you
Is there any configuration needed in the firewall policy? I followed the steps, but I am unable to RDP to my server using the local IP address.
Thanks for the Vids Alex - did you ever get it working when using DNS names instead of IP's for the ZTNA destinations, I believe it can be done where the FortiClient updates the host file on the endpoint with each entry but I couldnt get it to work in the lab - there may be some version dependencies though. Cheers
I do not have an internal DNS server so this won't be possible for me to setup at the moment. This should be able to be done though. You'll need an internal DNS server resolving your internal hostnames and get your endpoints connectivity to this server.
Did you pre-configure the 'ZTNA Destinations' in FortiClient before configuring the 'ZTNA Destination' in FC-EMS?
That's a step you don't show, and my destinations from EMS aren't synchronized to FortiClient.
Thanks,
E
Does it work for other use cases beside RDP for example certain system based user account is used for powershell or other protocol access to corp server?
Great Video Alex!! Am I correct in saying that FSSO is no longer needed. I would think FortiClient with ZTNA is a much better solution for RBAC vs FSSO?
FortiClient ZTNA is a more comprehensive RBAC than just FSSO as you can control access to resources based on a wider set of end point posture checks. FSSO allows/denies access to resources based on strictly whos logged into the end point and what AD group they are apart of where ZTNA has many many different posture checks you can perform including but not limited to just AD group.
great !!!!!
Hi. You mentioned Proxy IP is your wan interface IP which is setup on VIP. then what IP you are using on ZTNA server? please explain a bit.
?
This is dated. It is 6 months old... the fortigate and ems interfaces are changed.
is there a way to setup ZTNA just on a fortigate without EMS and such?
No, the Fortinet solution requires EMS and FortiClient or SASE
Hi. Do I need to put my on-prem EMS server on DMZ and allow port? Because when I am going off fabric the forticlient shows disconnected.
Yes, on prem EMS needs to have ports open on the upstream firewall to allow remote devices to communicate with it. A list of the necessary ports can be found here: docs.fortinet.com/document/forticlient/7.2.2/ems-quickstart-guide/439480/required-services-and-ports
@@fortialex Thanks. Do I need to put that EMS server into DMZ or VIP with static NAT will be fine and put that VIP on Forticlient so it can communicate with EMS server from outside world?
?
How do ZTNA rules interact with regular firewall policy?
They do not interact with regular firewall policy rules they are separate. ZTNA rules protect ZTNA servers that you define