Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MidwestOpe
New Contributor

Proxy/Redirected FQDN

Hi folks,

 

Looking for some advice here. We have an access control system off-site (no Forti equipment) that sits behind what appears to be a "proxy" FQDN. LAN -> WAN -> URL -> Redirected IP/port -> ACS.

Every time the URL is accessed, it will redirect to a new IP and port combination - what I imagine is some kind of load-balancing. I can whitelist the redirected IP and the port, but it changes after a day or so. Efforts to glean the IP/port ranges I need to whitelist have been futile.

 

Is there a way to whitelist a FQDN's redirections? I port forwarded a customized port on the ISP router to the private IP of the ACS interface in the past (by being there physically)...but this WAN IP has changed - and I'm looking for a way to allow access remotely.

 

Am I overthinking it? Thanks for your thoughts!

7 REPLIES 7
saneeshpv_FTNT

Hi

 

Not very clear with your setup. Could you please share the URL you are accessing? Is it publicly accessible? Where is this redirected IP/port pointing to ? Also where is the FortiGate placed in this traffic path ?

 

Maybe a diagram would help.

 

Best Regards,

nageentaj

Hi Team,

Please share us the below details.

Is firewall acting as a proxy server or are you using any third party proxy ?

please share  us the clear  network diagram and proxy configuration settings on the user PC accessing the URL mentioning the URL you are accessing.
Also please let us know the exact requirement you are looking for by explaining in detail.

 

MidwestOpe

The FortiGate 60F is doing nothing special, just forwarding requests on as necessary. There seems to be a 3rd party proxy down the line, as seen in the diagram provided.

I'm looking to see if I can whitelist or "trust" the redirected IP/Port combination after hitting the initial URL. The proxy server uses different ports and IPs after a certain period of time, like 24 hours. I can whitelist the URL, but it seems FortiGate doesn't allow for access after it is redirected. I can provide the URL in a private message if necessary....RMC_workflow.PNG

saneeshpv_FTNT

Hi @MidwestOpe 

 

When the proxy server changes the IP and port, how does the user knows about this port change. I can understand with DNS, we know the IP changes for that FQDN/URL but what about the port change. Is the proxy going to sending back any redirected URL to the User ? If it changes the port, Is the Proxy going on listen on these random port when user connects ?

 

Usually with a Full Proxy, you will have two connection, One from User to Proxy and the Second one from Proxy to the ACS system. So if the proxy is changing the IP and port for the connection from Proxy to ACS, you don't really to change anything on the FortiGate because it is placed in between User and Proxy. 

 

If the IP/Port change happens on the connection between user and Proxy, please let me know the flow of traffic from user to proxy as this is something not very common.

 

Best Regards,

 

 

 

MidwestOpe
New Contributor

Yeah, it's real funky. I'm going to try and attach a video of what I'm seeing. The "proxy" is essentially a load balanced black box it seems that redirects to the ACS...somewhow.

 

I've taken to going to the location physically and logging in to port forward certain requests to the ACS. But, it'd be nice to get this functionality working without having to whitelist the whole internet (because the IP/port combo changes so frequently).black_box_proxy.gif

saneeshpv_FTNT

Hi @MidwestOpe ,

 

From the video, it looks like when you access the RMC URL, the device on the other end is redirecting the user to this IP/Port and the subsequent request to this IP/port is being either blocked at your Fortigate (as you may not allow allow random ports to Untrust/Internet) or this request black holed some where. Please check fortigate logs for any traffic block for this IP or Port. If it does please try to create a Policy in FGT for testing with Destination and Service as "all".

 

Are you aware of this IP address (185.202.172.220) ? Also Please also confirm if there is any proxy in your local network.

 

Best Regards,

 

 

 

MidwestOpe

Yes, it's being blocked in the FortiGate and I can whitelist it - but a few hours later this IP/port combo will change requiring me to re-whitelist a new IP/port combo. That's the issue. After I'm redirected at the RMC URL, the firewall treats the new IP/port combo as a new FortiGate request, and no rules match so implicit deny is used.

Top Kudoed Authors