Skip to main content
bmeta
Staff & Editor
bmeta
Staff & Editor
March 25, 2015

Technical Tip: Configuring explicit web proxy with FSSO

  • March 25, 2015
  • 0 replies
  • 35632 views

Description


This article describes how to configure FortiGate to act as an explicit web proxy.
FSSO, as passive authentication, is used to collect user logon events from Active Directory.

Related link:
Explicit proxy authentication

 

Scope

 

FortiGate.

Solution

 

The FortiGate acts as an Explicit Web Proxy granting Internet Access to FSSO users. Settings displayed here are an example.
Fortinet Single Sign-On settings:
  
 
 
  1. Enable Explicit Proxy.

 

From GUI:
Go to System -> Feature Visibility.

From CLI:

 

config system settings
    set gui-explicit-proxy enable
end

 

  1. Enable Explicit Web Proxy.


From GUI:
Go to Network -> Explicit Proxy -> Enable Web Proxy. Select the Interface on which to listen.

From CLI:

 

config web-proxy explicit
    set status enable
    set http-incoming-port 8080
end

 

  1. Create an Authentication Scheme.
 
 
config authentication scheme
    edit "NewFSSO"       
        set method fsso   
    next
end
 
  1. Create an Authentication RULE.
 
 
config authentication rule
    edit "AuthRule"
        set srcaddr "WindowsAD" "WindowsCLIENT"          <----- Which source addresses this rule match to.
        set sso-auth-method "NewFSSO"
    next
end
 
 
Note:
 
FortiGate devices with 2 GB RAM running FortiOS v7.4.10 or later, the CLI commands 'config authentication scheme' and 'config authentication rule' are no longer available as this functionality was tied to the proxy feature set which was removed. See Technical Tip: Authentication feature missing after firmware upgrade to v7.4.10 and above for FortiGate hardware model (< 2GB).
 
Related document:
 
  1. Create a proxy policy.
 
 
config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "WindowsAD" "WindowsCLIENT"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set groups "FSSO_Group1" (created in step 1)
    next
end

 

  1. Configure the Browser/System for Explicit Web Proxy.
 
 
  1. Add the certificate and root CA to the host to avoid getting certificate errors.

  2. Monitoring.
 
 
In this view, g_id and pol_id are dynamic and can change if other policies with different address objects are hit.
 
diagnose firewall auth list
diagnose wad user list
 
It gives a good result but also shows the combination in the GUI under the Monitoring widget (starting 6.4) or the Monitoring section (6.2 and lower).
 
 

Troubleshooting Tip: If the proxy users from the remote site cannot access the internet, examine the authentication rule. Use the SDWAN interface in the incoming interface if required to verify the access.

 

Related article:

Technical Tip: FSSO advanced mode with explicit proxy

Terms & ConditionsAccessibility statement