Skip to main content
fortimaster
fortimaster
Explorer III
October 14, 2024
Question

Can Fortigate establish TCP connection like a real Reverse proxy?

  • October 14, 2024
  • 2 replies
  • 4803 views

Hi all,

I have read some post to try to configure my fortigate 600E like a reverse proxy. The posts are closed, and that is the reason why I opening this.. I would like to emulate a reverse proxy to connect to internal servers (not DMZ servers) using my external firewall. I would like to know if the final connection to the real servers, is established by Fortigate or from the internet client. I'm not sure about this. I've posted that:

https://community.fortinet.com/t5/Support-Forum/Fortigate-SSL-Offloading-with-SNI/m-p/348745#M253392

 

Do you know if the TCP connection is stablished  from Fortigate? I'm not sure if in both cases it works like a real reverse proxy. I don't want direct TCP connections to the real servers from internet clients

Thanks ¡¡¡

 

2 replies

AEK
SuperUser
AEK
SuperUser
October 14, 2024

Hi FortiMaster

As you may know we usually use DNAT/VIP to publish servers. But if ypu want it like reverse proxy I guess you need to configuer proxy rule instead of firewall rule. Well I'm not sure and didn't test it but I think you should dig in that side.

AEK
    fortimaster
    fortimasterAuthor
    Explorer III
    October 14, 2024

    Thanks AEK. Normally I use VIPs to publish web servers from my DMZ. But in this case, I want to publish web servers from my internal network and I don't want direct internet connectios.

    On the other hand I want to publish some servers using same IP and port. For that, the best way that I Know is using a virtual server with host load balancing.

     

    I could configure explicit proxy in internal firewall to proxy tráffic received from external firewalI maybe ? I have read that fortigate doesnt recommends to enable explicit proxy on Internet connected interfaces. 

     

     

     

    fortimaster
    fortimasterAuthor
    Explorer III
    October 15, 2024

    Hi all, I have done several tests:

    Test computer 3.3.3.3 --> Internet --> External firewall (1.1.1.1:443) --> Final server(2.2.2.2:8080).

     

    In case 1 I have tested with a normal VIP, case 2 with a virtual server (reverse proxy?)

     

    1)If I connect from my computer, on internet, to public IP 1.1.1.1:443 maped to an internal server 2.2.2.2 port 8080 (It's a VIP with Deep inspection on the rule).

    Result--> I see source IP (3.3.3.3) on final server with same source port than the original one TCP source port received on external firewall
    Example : 3.3.3.3:5000 --> 1.1.1.1:443-->Real server receives traffic from 3.3.3.3:5000

     

    2)If I connect from my computer, on internet, to public IP 1.1.1.1:443 maped to an internal server 2.2.2.2 port 8080 (its a virtual server balanced with host fqdn that maps public IP 443 to 8080 internal server, with Deep inspection on the rule):

    Result--> I see source IP (3.3.3.3) on final server with different source port than the original one TCP source port received on external firewall .

    Example : 3.3.3.3:5000 --> 1.1.1.1:443-->Real server receives traffic from 3.3.3.3:3450

     

    The resume is that the source port, changes when I use Virtual server with host balancing method. This means that Fortigate acts a reverse proxy maybe?

     

    Thanks

     

     

     

     

    AEK
    SuperUser
    AEK
    SuperUser
    October 15, 2024

    Hi FortiMaster

    No, with reverse proxy you should see on the back-end server the request arrives with FGT IP as source.

    Can you try the following two tests?

    • Case 3: Use VS (Virtual Server) with firewall rule with proxy based inspection mode
    • Case 4: Use VS with proxy rule instead of firewall rule. You'll need to enable explicit proxy under System > Feature Visibility
    AEK
      fortimaster
      fortimasterAuthor
      Explorer III
      October 15, 2024

      Thanks for your help AEK ¡¡

       

      I am checking because I misinterpreted the source ports. I think they don't change in any case so I think it doesn't exists a reverse proxy connection with a virtual server balancing with HTTP method.

       

      -->Case 3 I see original IP from internet client too (obviously without NAT in the rule). 

      -->Case 4 Im not sure if I will be able to do that cause is an internet direct interface connected, with some IPs. But is a great idea. In any case I had read that is not recommended to enable proxy on internet directed interfaces. If I can I'll try it, or maybe bypassing internet traffic from external firewall, to internal firewall with explicit proxy enabled in my DMZ interface.

       

      In any case, I don't understand why they call reverse proxy a virtual server, that symply balances traffic to destination server in the links I attached to this thread. 

        Terms & ConditionsAccessibility statement