Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Jackie_T
Staff
Staff

Created on ‎06-13-2024 12:04 AM

Article Id 320479

Technical Tip: FortiProxy proxy forwarding with Kerberos Authentication

Description

This article describes how to setup the proxy forwarding with Kerberos authentication.
Scope FortiProxy.
Solution

The topology for the setup is as below:

 

Client ---------- FortiProxyChild ---------- FortiProxyParent --------- Internet

 

FortiProxyChild will be the child proxy and perform the proxy forwarding while FortiProxyParent will be doing the authentication.

 

To prepare the FortiProxyParent, you can follow the below KB article:

 

Technical Tip: FortiGate explicit proxy authentication with Kerberos

 

Take note that, when creating the keytab, it is necessary to use the fqdn of the childproxy instead of the parentproxy. This is because if parentproxy fqdn is used, the principal name will be the parentproxy, hence, when the client points to the childproxy in the browser setting, it will not get the Kerberos service ticket.

 

For childproxy, the setting will be straightforward as it only needs to forward the proxy request to the parentproxy.

 

Example config on childproxy:

 

config web-proxy explicit-proxy

    edit "web-proxy"

        set status enable

        set interface "port2"

        set http-incoming-port 8080

        set https-incoming-port 8080

    next

 

config system interface

    edit "port2"

        set ip 10.205.2.72 255.255.240.0

        set allowaccess ping https ssh http telnet

        set type physical

        set explicit-web-proxy enable

        set snmp-index 2

    next

 

config web-proxy global

    set fast-policy-match disable

    set ldap-user-cache disable

    set proxy-fqdn "default.fqdn"

    set forward-proxy-auth enable

    set https-replacement-message disable

    set message-upon-server-error disable

    set trace-auth-no-rsp enable

end

 

config web-proxy forward-server

    edit "FPXParent"

        set addr-type fqdn

        set fqdn "fpxparent.example.com"

        set port 8080

    next

 

config firewall policy

    edit 1

        set type explicit-web

        set name "ToFPXParent"

        set uuid ac9e02a0-135e-51ef-7446-e7d7330be6ca

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "webproxy"

        set explicit-web-proxy "web-proxy"

        set logtraffic all

        set log-http-transaction all

        set webproxy-forward-server "FPXParent"

    next

 

Results:

 

When running 'klist' in the Windows command prompt, it is possible to see the HTTP/childproxy.example.com ticket.

 

On parentproxy, the user logon will be listed with authentication type negotiate:

 

diagnose wad user list

ID: 17, VDOM: root, IPv4: 10.205.2.72

  user name   : peter@example.com

  worker      : 0

  duration    : 134 seconds

  auth_type   : Session

  auth_method : Negotiate   <--

  pol_id      : 3

  g_id        : 3

  user_based  : 0

  expire      : N/A (in use)
141
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.