Skip to Content

How to configure ZTNA TCP reverse proxy for SaaS and ISDB services

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how configure ZTNA TCP reverse proxy for internet-based SaaS services.

Scope

FortiGate, FortiClient EMS, FortiClient.

Solution

Through the ZTNA access proxy, SaaS and ISDB services can be configured along with UTM inspection and inline CASB inspection for cloud-based services.

The following overview diagram shows a setup configured via TCP reverse proxy with ZTNA:

The following overview diagram shows a setup configured via TCP reverse proxy with ZTNA.

Step 1: Configure the VIP for access proxy (Can be created in CLI only)

config firewall vip
edit "ZTNA-SaaS-VIP"
set uuid 5b1ea5ac-03d6-51ef-4201-74e68241fbb7
set type access-proxy
set server-type https
set extip 10.10.0.1
set extintf "any"
set extport 443
set ssl-certificate "Fortinet_Factory"
next
end

Step 2: Create the firewall access proxy as below example:

Create the firewall access proxy as below example.

config firewall access-proxy
edit "ZTNA-SALEFORCE-Access-Proxy"
set vip "ZTNA-SaaS-VIP"
config api-gateway
edit 1
set url-map "/saas"
set service saas
set application "salesforce "
next
end
next
end

Step 3: Configure the proxy address for Salesforce to configure in the proxy policy.

Configure the proxy address for Salesforce to configure in the proxy policy.

config firewall proxy-address
edit "ZTA_SaaS_Salesforce
set uuid b7f148ce-3217-51ef-843e-92f99d1b6c5b
set type saas
set application "salesforce"

Step 4: Create a proxy policy with the type as ZTNA and allow salesforce application access.

Create a proxy policy with the type as ZTNA and allow salesforce application access.

config firewall proxy-policy
edit 1
set uuid 3c5deb8a-322c-51ef-1565-e2bc71d30b2d
set name "ZTA_Salesforce_App"
set proxy access-proxy
set access-proxy "ZTNA-SALEFORCE-Access-Proxy"
set srcintf "port1"
set srcaddr "all"
set dstaddr "ZTA_SaaS_Salesforce" > proxy address object
set action accept
set schedule "always"
next
end

Step 5: Configure ZTNA Destination in Forticlient EMS

  1. In FortiClient EMS, select Endpoint Profiles -> ZTNA Destinations.
  2. Create a new profile/edit an existing profile.
  3. Select Name, then the Advanced option.
  4. Enable the destination option, then select the plus icon. Enable the destination option, then select the plus icon.
  5. New gateway details for the salesforce service can be filled in.
    • Gateway proxy address: 10.10.0.1:443
    • Select browser user-agent for SAML login: Select FortiClient embedded browser
    • Alias: Salesforce
  6. Select Next.
  7. Under Private Applications, select Next.
  8. Under Applications, select Sales. Under Applications, select Sales.
  9. Select Finish and Save.

The SaaS Destination will be visible in Forticlient once synchronized.

The following is a list of SaaS applications available to in ZTNA SaaS application in ISDB:

MS saas app-grp
adp saas app
box saas app
sap saas app
jira saas app
zoom saas app
adobe saas app
azure saas app
gmail saas app
webex saas app
aws-s3 saas app
citrix saas app
egnyte saas app
github saas app
dropbox saas app
ms-word saas app
youtube saas app
zendesk saas app
docusign saas app
ms-excel saas app
ms-teams saas app
atlassian saas app
workplace saas app
box-upload saas app-acc
confluence saas app
google-web saas app
ms-outlook saas app
salesforce saas app
servicenow saas app
sharepoint saas app
ms-exchange saas app
ms-onedrive saas app
box-download saas app-acc
google-cloud saas app
google-drive saas app
oracle-cloud saas app
google-office saas app
ms-powerpoint saas app
dropbox-upload saas app-acc
gmail-getAttach saas app-acc
dropbox-download saas app-acc
twilio-video-cloud saas app
ms-onedrive-download saas app-acc
ms-outlook-getAttach saas app-ac