Description
This article describes how to configure web proxy forwarding servers to use proxy chaining.
For the explicit web proxy, you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers.
Proxy chaining can be used to forward web proxy sessions from the FortiGate to one or more other proxy servers on the network or on a remote network.
It is possible to use proxy chaining to integrate the FortiGate explicit web proxy with a web proxy solution that already have in place.
A FortiGate can forward sessions to most web proxy servers including a remote FortiGate with the explicit web proxy enabled.
No special configuration of the explicit web proxy on the remote FortiGate is required.
It is possible to deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office.
If each office has a FortiGate, users at each of the satellite offices can use their local FortiGate as an explicit web proxy server.
The satellite office FortiGate can forward explicit web proxy sessions to an explicit web proxy server at the central office.
From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.
Related document.
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/593344/proxy-chaining-web-pr...
Solution
To add a forwarding server, select 'Create New' in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to Network -> Explicit Proxy.
Example configuration of a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.
To configure the web proxy forwarding server via CLI:
Then add explicit web proxy forwarding server in the proxy policy:
This security policy allows all users on the internal subnet to use the explicit web proxy for connections through the PORT1 interface to the Internet.
The policy forwards web proxy sessions to a remote forwarding server named fwd-srv.
This article describes how to configure web proxy forwarding servers to use proxy chaining.
For the explicit web proxy, you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers.
Proxy chaining can be used to forward web proxy sessions from the FortiGate to one or more other proxy servers on the network or on a remote network.
It is possible to use proxy chaining to integrate the FortiGate explicit web proxy with a web proxy solution that already have in place.
A FortiGate can forward sessions to most web proxy servers including a remote FortiGate with the explicit web proxy enabled.
No special configuration of the explicit web proxy on the remote FortiGate is required.
It is possible to deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office.
If each office has a FortiGate, users at each of the satellite offices can use their local FortiGate as an explicit web proxy server.
The satellite office FortiGate can forward explicit web proxy sessions to an explicit web proxy server at the central office.
From here the sessions can connect to web servers on the Internet.
FortiGate proxy chaining does not support web proxies in the proxy chain authenticating each other.
Related document.
https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/593344/proxy-chaining-web-pr...
Solution
To add a forwarding server, select 'Create New' in the Web Proxy Forwarding Servers section of the Explicit Proxy page by going to Network -> Explicit Proxy.
Example configuration of a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.
To configure the web proxy forwarding server via CLI:
# config web-proxy forward-server
edit fwd-srv
set addr-type fqdn
set fqdn proxy.example.com
set port 8080
end
Then add explicit web proxy forwarding server in the proxy policy:
This security policy allows all users on the internal subnet to use the explicit web proxy for connections through the PORT1 interface to the Internet.
The policy forwards web proxy sessions to a remote forwarding server named fwd-srv.
To add the explicit web proxy forwarding server via CLI:
# config firewall proxy-policy
edit 1
set name "example"
set proxy explicit-web
set dstintf "port1"
set srcaddr "internal subnet"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
set logtraffic all
set webproxy-forward-server "fwd-srv"
next
end
