AAG Quick Start Lab Guide

AAG Quick Start Lab Guide

A Quick Start Lab Guide on how to set up the Application Access Gateway using a local user account.

Workflow:

  1. Configure a local user
  2. Configure a user group
  3. Configure the AAG Application Group
  4. Configure the AAG Application Portal
  5. Configure the AAG Application Access Policy
  6. Configure a Virtual Server for the AAG
  7. Test
Configure a Local User

Configure A local User

  • Login to the FortiADC with the username admin and password fortinet
  • Go to Application Access Manager → Local User
  • Click +Create New
  • Name: user1
  • Password: user1
  • Save
Configure a User Group

Configure a User Group

  • Go to Application Access Manager → User Group
  • Click +Create New
  • Group Name: AAG-Users
  • Save
  • Click +Create New
  • Type: Local
  • Local User: user1
  • Save
Configure the AAG Application Group

Configure the AAG Application Group

  • Go to Application Access Manager → Agentless Application Gateway → App Group
  • Click +Create New
  • Name: AAG-App-Group
  • Save
  • Click +Create New
  • Name: DVWA-SSH
  • Type: Web-SSH
  • Host: 10.1.3.4
  • Port: 22
  • Set the Advanced Setting flag to ON
  • Username: xperts2025
  • Password: *********
  • Save
  • Save
Configure the AAG Application Portal

Configure the AAG Application Portal

  • Go to Application Access Manager → Agentless Application Gateway → App Portal
  • Click +Create New
  • Name: AAG-App-Portal
  • Save
  • Click +Create New
  • Title: AAG-App-Portal
  • App Group: AAG-App-Group
  • Save
  • Save
Configure the AAG Application Access Policy

Configure the AAG Application Access Policy

  • Go to Application Access Manager → Agentless Application Gateway → Access Policy
  • Click +Create New
  • Name: AAG-Access-Policy
  • Set the App Portal Access flag to ON
  • Save
  • Click +Create New
  • Name: AAG-Portal-Users
  • User Group: AAG-Users
  • App Portal: AAG-App-Portal
  • Save
  • Save
Configure a Virtual Server for the AAG

Configure a Virtual Server for the AAG

  • Go to Server Load Balance → Virtual Server
  • Click +Create New
  • Name: AAG
  • Type: Layer 7
Info

There is no need to save yet. We will go to the General Tab and the Monitoring Tab then save the whole thing.

  • Click on the General Tab
  • Address: 10.1.2.100
  • Port: 9443
  • Interface: Port1
Info

The Profile needs to be an AAG Profile.

  • Profile: LB_PROFILE_APP_ACCESS
  • Access Policy: AAG-Access-Policy

No need to save yet.

  • Click on the Monitoring Tab
  • Toggle the Traffic Log flag to ON
  • Save
Info

Traffic logging should be used mainly for debugging; traffic logging will consume extensive memory and CPU resources. Please disable traffic logging after debugging is complete.

Go to FortiView → Logical Topology

You should see your Application Access Gateway.

Test

Test AAG Access

  • RDP to the Client
  • Open Firefox
  • Go to https://10.1.1.100:9443
  • Username: user1
  • Password: user1

You should see your Application App Group

Click the DVWA-SSH App Group

You should have access to the DVWA server via SSH.