Skip to main content
romain_krebs
romain_krebs
New Member
August 23, 2017
Question

Authentication with transparent web proxy

  • August 23, 2017
  • 2 replies
  • 9005 views

Hi all, I have tried transparent web proxy in 5.6.2 and it works when there is no authentication. I have tried implement kerberos authentication with it but it seems the rule is not matched. Is someone know if kerberos is supported with this mode ? I haven't found it in documentation. Regards,

    2 replies

    leo1
    leo1
    New Member
    October 18, 2017

    Hi,

    Can i know what you did in your configuration? my transparent web proxy configuration is not working.

    I just follow the instruction in youtube. 

     

    Regards,

    wluo
    wluo
    New Member
    October 23, 2017

    You can find document for FortiOS 5.6 at http://docs.fortinet.com/uploaded/files/3987/fortios_firewall-56.pdf Page 338.

    eenchev
    eenchev
    New Member
    March 14, 2018

    Hi,

     

    I am trying the same setup. It seems that transparent proxy is not working when the authentication is negotioate/kerberos.

     

    Have you managed to find a solution to this?

     

    Thank you in advance.

     

    Cheers,

    Emil

     

    edit: As I read the guide more thoroughly it seems transparent proxy is working with SSO auth at the moment. This is working.

    Fishbone_FTNT
    Staff
    Fishbone_FTNT
    Staff
    March 25, 2018

    Hey guys, don't know what you configured... you will probably need to activate kerberos captive portal, in config authentication settings. It cannot work (well) in transparent web proxy mode without something on the way to ask for authentication.

     

    On the normal traffic,  you have redirection to portal on port http tcp/1000 or https on tcp/1003. With explicit proxy, you have authentication already on header level, and authentication is done by proxy mechanisms (ok - with exception of form-based auth, which is in fact replacement message).

     

    This is transparent proxy. Transparent web proxy is in the flow perspective actually not behaving like proxy, it's transparent to the client, no proxy headers. Implementing replacements for kerberos exchange inline, in the traffic would be ugly and complex to do, so we have the captive portal for that purpose.

    Just pure guess. Let me know if that was it, or share config snippets so we know where you are at with it.

    My 2c.

    Hth, Fishbone)(

    Terms & ConditionsAccessibility statement