concretesubmarine.com/ FORUM

Some examples of when this is necessary are as follows:

• An explicit proxy is required for all users whether they are local or remote.
• Proxy chaining is required from all remote office connections (including SSL VPN) to the HQ firewall.
• Proxy chaining is needed to support browser isolation or additional proxy requirements.  

The process discussed here includes a proxy chaining example configured for both local subnets and SSL VPN subnets.

• Local users are configured to use a local explicit Proxy on a local subnet used to support local user connectivity.
• Remote users connect to the firewall via SSL VPN.
  • All web browsing UTM actions are supported on the upstream chained proxy server.
• No PAC file is used in the following config.
  • For devices that move between office and remote, PAC files may be of use.

Split tunneling is designed to force specific applications (i.e. Office 365) out of the local gateway and should also function as expected as this is a feature of the SSL VPN tunnel configuration.

Additionally, the procedure discussed below is intended for Windows clients only. It has not been tested or verified on Mac or Linux clients. Please note that example connect/disconnect scripts are provided for both Mac and Linux for reference purposes only.

They have not been tested or validated.

It is assumed that a functional Explicit Proxy configuration is already in place on the FortiGate.

The procedure to support this functionality is split into two sections:

1. FortiGate configurations.
2. FortiClientEMS and FortiClient Windows configurations.

Diagram of configuration used:

1. FortiGate Configurations: HQ firewall:

The explicit proxy settings below should apply to FortiOS versions 6.4 and higher.

Enabling the various features can all be accomplished via the GUI, but certain configurations (in bold) must be done via the CLI. note These settings are applied as required as missing them will cause issues in the final state.

The CLI configs are summarized as follows:

config web-proxy global

    set learn-client-ip enable

    set learn-client-ip-from-header x-forwarded-for

    set learn-client-ip-srcaddr "all"

end

config web-proxy profile

    edit "Proxy_Profile"

        set header-client-ip add

        set header-via-request add

        set header-via-response add

        set header-x-forwarded-for add

        set header-front-end-https add

        set header-x-authenticated-user add

        set header-x-authenticated-groups add

        set log-header-change enable

        config headers

            edit 1

                set name "client-ip"

                set content "$client-ip"

            next

            edit 2

                set name "Proxy-Name"

                set content "$proxy_name"

            next

            edit 3

                set name "user"

                set content "$user"

            next

            edit 4

                set name "domain"

                set content "$domain"

            next

            edit 5

                set name "local_grp"

                set content "$local_grp"

            next

            edit 6

                set name "remote_grp"

                set content "$remote_grp"

            next

            edit 7

                set name "Via"

                set content "Fortigate-Proxy"

            next

        end

    next

end

config firewall proxy-policy

    edit 1

        set name "Explicit_Proxy_Policy"

        set proxy explicit-web

        set dstintf "port1"

        set srcaddr "all"

        set dstaddr "all"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

        set groups "FSSO_Users" "SSL_VPN_Users"

        set webproxy-forward-server "Forward_Proxy"

        set webproxy-profile "Proxy_Profile"

        set utm-status enable

        set ssl-ssh-profile "Explicit_Proxy_Deep"

        set webfilter-profile "Proxy_Allow_All"

    next

end

config system interface

    edit "ssl.Lab"

        set ip 10.212.134.254 255.255.255.255

        set explicit-web-proxy enable

    next

end

Details on each of the sections above are as follows:

config web-proxy global <-----This section alters the global behavior of the Explicit Proxy and provides for the inclusion of features needed to properly support the forwarding of specific client-IP information and any required certificates needed to support proxy connectivity.

config web-proxy profile <----- This section allows for the configuration of needed header information that needs to be forwarded to the upstream chained proxy in the needed proxy profile configuration.

• For reference, all available headers have been enabled in this example. Not all may be required depending on the configuration needs.
• The additional header configs help define values and fields that will be sent in the HTTP headers that will be modified to support upstream proxy requirements.

config firewall proxy-policy <-----This section defines access policies needed to properly permit traffic from the explicit proxy to internal or external resources. This includes the ability to specify identity-based requirements as shown in the example.

• Policy 1 allows access to the upstream proxy and enables Deep Packet Inspection to allow for packet inspection on the HQ firewall if needed.

config system interface <-----This section is needed in order to assign the needed configurations to the needed interfaces. Built-in interfaces can have explicit proxy functionality enabled in the GUI. The SSL VPN interface must be configured via the CLI. The required settings for the ssl.<vdom> interface are summarized as follows:

• The IP address from the SSL VPN IP pool to the ssl.<vdom> interface. This is needed in order to allow the explicit proxy functionality to behave as expected.
• Ensure that ‘explicit-web-proxy’ feature is properly enabled on this interface.

The GUI configurations are summarized as follows:

Feature visibility to enable ‘Explicit Proxy’:

Explicit Web Proxy (Global):

Web Proxy Forward Server:

Web Proxy Profile:

All configuration must be done in the CLI.(See above commands.)

Web Filter Profile:

 Firewall Proxy Policies:

Notes:

• As detailed above, the ‘Web-proxy profile’ must be specified via the CLI.
• Other configurations as noted above may need to be done via the CLI as well. Verify all settings in the CLI before connecting to the upstream chained proxy device.

The above configurations should allow devices behind the downstream proxy device to connect to the upstream proxy server.

The FortiGate will then forward traffic to the chained proxy server per the configured proxy policies. The upstream proxy device will scan traffic using the configured UTM profiles and allow traffic to flow out to the internet as configured.

2. FortiClientEMS Configurations for SSL VPN Client.

If the SSL VPN configuration is not updated to assert the needed system proxy settings during the SSL VPN connection, the explicit proxy will generate an error indicating no proxy can be found. The same error is seen when trying to manually add the SSL VPN system proxy settings before SSL VPN connections are made.

To get around this limitation, it is necessary to leverage the ‘on connect’ and ‘on disconnect’ script features available in the FortiClient EMS server.

Example configs for the needed scripts are shown below:

Windows ‘On Connect’ Script:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d 10.212.134.254:8080 /f

Windows ‘On Disconnect’ script:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer  /f

Script options are also configurable for MacOS and Linux clients. Example scripts for MacOS and Linux are as follows: (NOTE: These are untested in the lab, but should work.)

**********************MacOS**********************

Logon Script

networksetup -setswebproxy "Ethernet" 10.212.134.254 8080 on

networksetup -setsecurewebproxy "Ethernet" 10.212.134.254 8080 on

Logoff Script

networksetup -setswebproxy "Ethernet" off

networksetup -setsecurewebproxy "Ethernet" off

************************Linux********************

Connect Script

gsettings set org.gnome.system.proxy.http host '10.212.134.254'

gsettings set org.gnome.system.proxy.http port 8080

gsettings set org.gnome.system.proxy.https host '10.212.134.254'

gsettings set org.gnome.system.proxy.https port 8080

gsettings set org.gnome.system.proxy mode 'manual'

Disconnect Script

gsettings reset org.gnome.system.proxy.http host

gsettings reset org.gnome.system.proxy.http port

gsettings reset org.gnome.system.proxy.https host

gsettings reset org.gnome.system.proxy.https port

gsettings set org.gnome.system.proxy mode 'none'

In the FortiClient EMS GUI, the configs are as shown (windows scripts only):

When accessing the SSL VPN tunnel, the scripts will run during the connection process and the system proxy settings will be properly updated.

Examples of the effect of the ‘On Connect’ and ‘On Disconnect’ scripts are shown below in a lab Windows 11 Pro workstation.

System Proxy settings before SSL VPN connection:

System Proxy Settings after SSL VPN connection:

When accessing the internet, the traffic is flowing through the Explicit proxy on the SSL VPN connection towards the upstream proxy as expected.

PCAP summary on SSL VPN Interface:

PCAP Summary on an Internet connection to upstream chained proxy:

Note the presence of the modified HTTP headers as the traffic egresses toward the upstream proxy. The x-forwarded-for information along with the fields specified earlier is visible in the traffic.

Conclusion:

An SSL VPN interface can be successfully configured as an explicit proxy interface. It is also possible to observe that any and all required HTTP header details can also be forwarded upstream if required.