Reverse Proxy vs One-Arm Reverse Proxy

Question

I am reading over the documentation https://help.fortinet.com/fweb/561/Content/FortiWeb/fortiweb-admin/planning_topology.htm and I need the benefits of Reverse Proxy; however, I do not understand how the One-Arm reverse proxy works. If everything is on the same network segment, then layer 2 frame will just forward out the interface it was seen from. However, there is some warnings about Inline Reverse Proxy, and non HTTP/HTTPS traffic. Does the One-Arm Reverse proxy works when protect servers will be on a different subnet. I imagined this would be installed In-line and create rules that ignore the policy engine when (a)specific server was in destination with (b)specific traffic port. The latter would be no different then forwarding traffic around the unit, but the link to documentation says something about Performance and security.

The One-Arm deployment seems like a number policy routes or virtual port forwarding would need to be created. Again, just even sure what the default gateway of servers and the inbound route direction of a One-Arm deployment would look like.

What or how have you folks deployed and can you offer any suggestions in deploying Reverse Proxy mode.

Thank you

Yurisk · Accepted Answer

They (Fortinet) over-complicated this topology by naming it separately - there is no "one arm with reverse proxy" mode of functioning for the FWB. It is just usual Proxy mode with a side-note that the real servers are located on the same network the FWB accepts incoming connections on. FWB hides the real servers from the client, never mind them being on the same network, by doing Source NAT - this way real servers see clients' connections coming with source IP of the FWB, and are configured to return traffic to the FWB as well and not via some router as default gateway.

E.g.

FWB listens on 10.10.10.1

Real servers are on: 10.10.10.2, 10.10.10.3

Admins publish the website example.com A record as 10.10.10.1

Client (IP of 10.10.10.10.100) enters example.com in the browser, her DNS resolves to 10.10.10.1 and FWB receives the client's request with the source IP of 10.10.10.100. Next, the FWB does source NAT replacing source IP of the request 10.10.10.100 with its own IP 10.10.10.1 and then sends it to servers 10.10.10.2/3, which reply accordingly to FWB to 10.10.10.1. On receiving the reply, FWB sends it to the client with the source IP of 10.10.10.1, everyone is happy.

Usually, when vendors speak of "one arm" topologies, they mean that the device is NOT actively participating in the clients' traffic. In FWB this is called Offline mode. IMO they just named it inappropriately in the docs.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded