Description |
This article describes how to setup the proxy forwarding with Kerberos authentication. |
Scope | FortiProxy. |
Solution |
The topology for the setup is as below:
Client ---------- FortiProxyChild ---------- FortiProxyParent --------- Internet
FortiProxyChild will be the child proxy and perform the proxy forwarding while FortiProxyParent will be doing the authentication.
To prepare the FortiProxyParent, you can follow the below KB article:
Technical Tip: FortiGate explicit proxy authentication with Kerberos
Take note that, when creating the keytab, it is necessary to use the fqdn of the childproxy instead of the parentproxy. This is because if parentproxy fqdn is used, the principal name will be the parentproxy, hence, when the client points to the childproxy in the browser setting, it will not get the Kerberos service ticket.
For childproxy, the setting will be straightforward as it only needs to forward the proxy request to the parentproxy.
Example config on childproxy:
config web-proxy explicit-proxy edit "web-proxy" set status enable set interface "port2" set http-incoming-port 8080 set https-incoming-port 8080 next
config system interface edit "port2" set ip 10.205.2.72 255.255.240.0 set allowaccess ping https ssh http telnet set type physical set explicit-web-proxy enable set snmp-index 2 next
config web-proxy global set fast-policy-match disable set ldap-user-cache disable set proxy-fqdn "default.fqdn" set forward-proxy-auth enable set https-replacement-message disable set message-upon-server-error disable set trace-auth-no-rsp enable end
config web-proxy forward-server edit "FPXParent" set addr-type fqdn set fqdn "fpxparent.example.com" set port 8080 next
config firewall policy edit 1 set type explicit-web set name "ToFPXParent" set uuid ac9e02a0-135e-51ef-7446-e7d7330be6ca set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "webproxy" set explicit-web-proxy "web-proxy" set logtraffic all set log-http-transaction all set webproxy-forward-server "FPXParent" next
Results:
When running 'klist' in the Windows command prompt, it is possible to see the HTTP/childproxy.example.com ticket.
On parentproxy, the user logon will be listed with authentication type negotiate:
diagnose wad user list ID: 17, VDOM: root, IPv4: 10.205.2.72 user name : peter@example.com worker : 0 duration : 134 seconds auth_type : Session auth_method : Negotiate <-- pol_id : 3 g_id : 3 user_based : 0 expire : N/A (in use) |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.