The Network Controller must be addressable for the clients to reach it to attach and make dial attempts. It can be a FQDN or a bare IP. Other than that, all the firewall rules need to be outbound only. The tunnelers and Edge Routers will connect to the controller outbound, and maintain the connections that need to be persistent. If you want the traffic to be localized in the LAN but still over OpenZiti, you will need an Edge Router inside the LAN. The control traffic will still flow tot he controller, but the data plane would remain between the initiating tunneler, the local Edge Router, and the terminating tunneler (or the Edge Router, it could service that traffic itself, but then the port would have to be open the Edge Router)
All of that said, what are you really testing? OpenZiti, or some application you want to be reachable? Zrok (zrok.io) may be an option for you, which is built on OpenZiti, but is less work to operate.
If you can explain what you want to achieve, it would be easier to help.
I'm testing a web page which is hosted in LAN (locally) which is only accessible via VPN. So I want to achieve it using Ziti Desktop instead of VPN client.
testpage.ziti is accessible in LAN. So need some help on how to access it publicly using tunneler of course.
This has been done in LAN. Just asking on how an edge client sitting on another network (lets say at home) is able to access a server (like testpage.ziti) located in office.
Gotcha. I think this is where @gormami was going: You need the controller and at least one edge router accessible over the Internet (from both your home, running Ziti Desktop Edge, and from the network hosting the server). This article gives an overview of how to host a controller and edge router in Oracle public cloud's free tier, which you may find helpful.