| Description | This article describes how to configure an SSL VPN interface as an explicit proxy on a FortiGate. |
| Scope | FortiGate. |
| Solution |
Some examples of when this is necessary are as follows:
The process discussed here includes a proxy chaining example configured for both local subnets and SSL VPN subnets.
Split tunneling is designed to force specific applications (i.e. Office 365) out of the local gateway and should also function as expected as this is a feature of the SSL VPN tunnel configuration.
Additionally, the procedure discussed below is intended for Windows clients only. It has not been tested or verified on Mac or Linux clients. Please note that example connect/disconnect scripts are provided for both Mac and Linux for reference purposes only. They have not been tested or validated.
It is assumed that a functional Explicit Proxy configuration is already in place on the FortiGate.
The procedure to support this functionality is split into two sections:
Diagram of configuration used:
The explicit proxy settings below should apply to FortiOS versions 6.4 and higher.
Enabling the various features can all be accomplished via the GUI, but certain configurations (in bold) must be done via the CLI. note These settings are applied as required as missing them will cause issues in the final state.
The CLI configs are summarized as follows:
config web-proxy global set learn-client-ip enable set learn-client-ip-from-header x-forwarded-for set learn-client-ip-srcaddr "all" end
config web-proxy profile edit "Proxy_Profile" set header-client-ip add set header-via-request add set header-via-response add set header-x-forwarded-for add set header-front-end-https add set header-x-authenticated-user add set header-x-authenticated-groups add set log-header-change enable config headers edit 1 set name "client-ip" set content "$client-ip" next edit 2 set name "Proxy-Name" set content "$proxy_name" next edit 3 set name "user" set content "$user" next edit 4 set name "domain" set content "$domain" next edit 5 set name "local_grp" set content "$local_grp" next edit 6 set name "remote_grp" set content "$remote_grp" next edit 7 set name "Via" set content "Fortigate-Proxy" next end next end
config firewall proxy-policy edit 1 set name "Explicit_Proxy_Policy" set proxy explicit-web set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set groups "FSSO_Users" "SSL_VPN_Users" set webproxy-forward-server "Forward_Proxy" set webproxy-profile "Proxy_Profile" set utm-status enable set ssl-ssh-profile "Explicit_Proxy_Deep" set webfilter-profile "Proxy_Allow_All" next end
config system interface edit "ssl.Lab" set ip 10.212.134.254 255.255.255.255 set explicit-web-proxy enable next end
Details on each of the sections above are as follows:
config web-proxy global <-----This section alters the global behavior of the Explicit Proxy and provides for the inclusion of features needed to properly support the forwarding of specific client-IP information and any required certificates needed to support proxy connectivity.
config web-proxy profile <----- This section allows for the configuration of needed header information that needs to be forwarded to the upstream chained proxy in the needed proxy profile configuration.
config firewall proxy-policy <-----This section defines access policies needed to properly permit traffic from the explicit proxy to internal or external resources. This includes the ability to specify identity-based requirements as shown in the example.
config system interface <-----This section is needed in order to assign the needed configurations to the needed interfaces. Built-in interfaces can have explicit proxy functionality enabled in the GUI. The SSL VPN interface must be configured via the CLI. The required settings for the ssl.<vdom> interface are summarized as follows:
The GUI configurations are summarized as follows:
Feature visibility to enable ‘Explicit Proxy’:
Explicit Web Proxy (Global):
Web Proxy Forward Server:
Web Proxy Profile: All configuration must be done in the CLI.(See above commands.)
Web Filter Profile:
Firewall Proxy Policies:
Notes:
The above configurations should allow devices behind the downstream proxy device to connect to the upstream proxy server. The FortiGate will then forward traffic to the chained proxy server per the configured proxy policies. The upstream proxy device will scan traffic using the configured UTM profiles and allow traffic to flow out to the internet as configured.
If the SSL VPN configuration is not updated to assert the needed system proxy settings during the SSL VPN connection, the explicit proxy will generate an error indicating no proxy can be found. The same error is seen when trying to manually add the SSL VPN system proxy settings before SSL VPN connections are made.
To get around this limitation, it is necessary to leverage the ‘on connect’ and ‘on disconnect’ script features available in the FortiClient EMS server.
Example configs for the needed scripts are shown below:
Windows ‘On Connect’ Script:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d 10.212.134.254:8080 /f
Windows ‘On Disconnect’ script:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
Script options are also configurable for MacOS and Linux clients. Example scripts for MacOS and Linux are as follows: (NOTE: These are untested in the lab, but should work.)
**********************MacOS********************** Logon Script networksetup -setswebproxy "Ethernet" 10.212.134.254 8080 on networksetup -setsecurewebproxy "Ethernet" 10.212.134.254 8080 on
Logoff Script networksetup -setswebproxy "Ethernet" off networksetup -setsecurewebproxy "Ethernet" off
************************Linux******************** Connect Script gsettings set org.gnome.system.proxy.http host '10.212.134.254' gsettings set org.gnome.system.proxy.http port 8080 gsettings set org.gnome.system.proxy.https host '10.212.134.254' gsettings set org.gnome.system.proxy.https port 8080 gsettings set org.gnome.system.proxy mode 'manual'
Disconnect Script gsettings reset org.gnome.system.proxy.http host gsettings reset org.gnome.system.proxy.http port gsettings reset org.gnome.system.proxy.https host gsettings reset org.gnome.system.proxy.https port gsettings set org.gnome.system.proxy mode 'none'
In the FortiClient EMS GUI, the configs are as shown (windows scripts only):
When accessing the SSL VPN tunnel, the scripts will run during the connection process and the system proxy settings will be properly updated.
Examples of the effect of the ‘On Connect’ and ‘On Disconnect’ scripts are shown below in a lab Windows 11 Pro workstation.
System Proxy settings before SSL VPN connection:
System Proxy Settings after SSL VPN connection:
When accessing the internet, the traffic is flowing through the Explicit proxy on the SSL VPN connection towards the upstream proxy as expected.
PCAP summary on SSL VPN Interface:
PCAP Summary on an Internet connection to upstream chained proxy:
Note the presence of the modified HTTP headers as the traffic egresses toward the upstream proxy. The x-forwarded-for information along with the fields specified earlier is visible in the traffic.
Conclusion: An SSL VPN interface can be successfully configured as an explicit proxy interface. It is also possible to observe that any and all required HTTP header details can also be forwarded upstream if required. |
