Skip to Content

ZTNA virtual host feature introduction

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article introduces the ZTNA virtual host feature.

Scope

FortiGate.

Solution

In the ZTNA configuration, a Virtual Host is introduced in the Server Mapping to match the ZTNA request from the host, which is the ZTNA Proxy Gateway the host is trying to access.

For example:

In the ZTNA configuration, a Virtual Host is introduced in the Server Mapping to match the ZTNA request from the host, which is the ZTNA Proxy Gateway the host is trying to access.

The FortiGate has 10.56.240.210 and the port 443 is configured as the external IP in the ZTNA proxy gateway. The Server IP 10.24.1.15 is configured as the real server IP in the server mapping.

The FortiGate has 10.56.240.210 and the port 443 is configured as the external IP in the ZTNA proxy gateway. The Server IP 10.24.1.15 is configured as the real server IP in the server mapping.

Assume the endpoint host is connected to the EMS and has the correct tag assigned. When it is accessing the Server behind the FortiGate via ZTNA, it needs to send the ZTNA request to the ZTNA proxy gateway, which will further initiate the HTTP or TCP traffic to the real server depending on the service type.

The endpoint host can access the ZTNA proxy gateway either via the IP address 10.56.240.210 or the FQDN address which can be resolved to this IP.

The Virtual Host in the ZTNA Server Mapping is to match the IP or FQDN. There are two options:

  • Any Host: If the IP address or the resolved FQDN address that the endpoint host is trying to access matches the external IP address (access proxy VIP), the ZTNA request can be mapped to the real server.
  • Specify: The IP or the FQDN address that the endpoint host is trying to access must be matched with the value here (it can be the IP or FQDN).

In this example, since the ZTNA proxy gateway address endpoint user is trying to connect is 10.56.240.210, the host needs to be the IP address 10.56.240.210 if the Virtual Host needs to be specified. Otherwise ‘Any Host’ can be chosen as well.

In this example, since the ZTNA proxy gateway address endpoint user is trying to connect is 10.56.240.210, the host needs to be the IP address 10.56.240.210 if the Virtual Host needs to be specified. Otherwise ‘Any Host’ can be chosen as well.

If the Proxy Gateway IP end user is trying to access fails to match with the specified Virtual Host here, the following error will be showing in the ZTNA traffic log. From the message, it is clear to see what the ZTNA request looks like, and its head part needs to be matched with the specified virtual host here.

If the Proxy Gateway IP end user is trying to access fails to match with the specified Virtual Host here, the following error will be showing in the ZTNA traffic log. From the message, it is clear to see what the ZTNA request looks like, and its head part needs to be matched with the specified virtual host here.

If the endpoint user has multiple FQDN addresses and all of them can be resolved to the Proxy VIP IP 10.56.240.210, a particular FQDN address can be specified in the Virtual Host to match the Proxy gateway FQDN user is trying to access and map to the real server.

It is not necessary to configure the Virtual Host when there is only one FQDN address that can be resolved to the external IP or the user is accessing the IP address straight away.

The common use case for the ZTNA Virtual Host is when there is only one public IP on the FortiGate but multiple real servers need to be mapped. In this case, the user needs to have multiple FQDN addresses that can be resolved to the External IP of the ZTNA server while each FQDN should be mapped to a different real server.