Skip to main content
orani
orani
New Member
July 11, 2019
Question

Reverse Proxy - HTTPS to HTTPS

  • July 11, 2019
  • 3 replies
  • 27753 views

I try to use the load balancing module as a reverse proxy.

 

My goal is to protect the OWA of my exchange.

 

So. When i create a virtual server for HTTP (any port) from my external ip to any internal web server using HTTP (real server) and also creating the necessary ipv4 policy, it works fine.

 

But, when i try to create a virtual server for HTTPS (any port) or HTTP (any port) from my external ip to my exchange server using HTTPS (real server) and also creating the necessary ipv4 policy, it doesn't work.

 

When trying from a browser the url https://mypublicip or https://mypublicip:port i get the certificate warning of the browser and when i hit continue i am receiving an error for empty response and when i try http://mypublicip or http://mypublicip:port i get connection refused or connection timed out at my browser.

 

Ideally i would like to configure https to https senario. I am a little bit confused about the certificates i have to use.

 

When Microsoft exchange server is installed a sef-signed certificate is created. Is this the certificate i have to use to the firewall also? (export from exchange server and import to firewall??)

 

Any ideas...???

    3 replies

    hubertzw
    hubertzw
    New Member
    July 12, 2019

    I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:

    1) stop SSL full inspection for this flow

    2) install Fortinet CA on all computers

    3) change Fortinet CA to your CA if you have local certificate authority

    orani
    oraniAuthor
    New Member
    July 12, 2019

    hubertzw wrote:

    I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:

    1) stop SSL full inspection for this flow

    2) install Fortinet CA on all computers

    3) change Fortinet CA to your CA if you have local certificate authority

    1. at the ipv4 policy either i have no ssl inspection or i have a profile with fortinet ca cert and ssl cert inspection, and at the virtual server conf either i have full offloading or client<-->fgt, i got the same result.

    2. it is impossible to install the certificate to all computers because our mail users use the OWA from their homes also, so it is very difficult to install the cert there. But even if i tried to my laptop i couldn't access the server. Same response.

    3. i don't have any other certificate except from the self-signed cert of the microsoft exchange server 

    hubertzw
    hubertzw
    New Member
    July 12, 2019

    When your policy doesn't have any SSL inspection and you see in the logs you are matching that one, you can't see

    Fortinet CA certificate. Something must be wrong. Can you verify it?

     

    What is your NAT mode? Policy or central NAT?

     

    Just in case: for the incoming traffic there is a different SSL profile required - protect server (or something similar, not 'multiple clients to multiple servers').

     

    orani
    oraniAuthor
    New Member
    July 12, 2019

    I use policy NAT. Trying to find logs for the specific policy i find this

     

    GeneralDate2019/07/12Time12:27:49Duration120sSession ID8003441Virtual DomainrootNAT TranslationSource & DestinationSourceIPmy home public ipNAT IP192.168.1.251 (firewall ip - internal interface)Source Port51562Country/RegionGreeceSource InterfaceVDSL 50 Mbps - Secondary (wan2)User DestinationIPmy public ipNAT IP192.168.1.241Port443Country/RegionGreeceDestination InterfaceInternal (port1)Application ControlApplication Name CategoryunscannedRiskundefinedProtocol6ServiceHTTPSDataReceived Bytes596 BReceived Packets7Sent Bytes513 BSent Packets6ActionActionAccept: session closePolicytest rp (73)Policy UUID3fd56bc2-a2f7-51e9-6327-3e357d61a979Policy TypepolicySecurityLevel CellularServiceHTTPSOtherSub TypeforwardLog event original timestamp1562923669Source Interface RolewanDestination Interface Roleundefined

     

     

    I see that the traffic is accepted from the firewall but i get a "session close"

     

    I dont have any protect server profile

     

    Seeing the logs i understand that the traffic is passing the firewall but why i receive a session close?

    JermaineBarrera
    JermaineBarrera
    New Member
    September 27, 2023

    Firstly, regarding the certificates, you can actually use the self-signed certificate created by Microsoft Exchange server. Just export it from the server and import it into your firewall. This will ensure a secure connection between your proxy service and the Exchange server. If you're still having problems after configuring the certificates correctly, double-check your virtual server and IPv4 policies. Make sure they're set up correctly for both HTTP and HTTPS. By the way, I wanted to mention a helpful resource called proxys.io. They have great insights and solutions for proxy services. You might find them useful for additional guidance.

    Terms & ConditionsAccessibility statement