- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reverse Proxy Question
First of all let me say that I am not a reverse proxy expert but I am trying to secure our network. Right now I use the VIP option for server sitting in the DMZ. However, if possible I would like to move to a reverse proxy option and get rid of all vip group. I don't have any idea whether or not this is even feasible. Does anyone send their external request to a reverse proxy before send them inbound to the actual device. Any response will be greatly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to RP with a Fortigate? As far as I know, FortiWeb is the solution that you're looking for. See datasheet HERE
Cheers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I knew that they had that product however, from what I understand the Fortigate itself is supposed to do reverse proxying as well. I was just trying to find someone that may have used it for that purpose before and how they did it. I really dont like having to open all the holes in the firewall so the outside IP is speaking directly to the machine inside or in the DMZ.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jrpayne wrote:Oh, ok! So, did you find a way to RP with the Fortigate? I could really use the info.Yes I knew that they had that product however, from what I understand the Fortigate itself is supposed to do reverse proxying as well. I was just trying to find someone that may have used it for that purpose before and how they did it. I really dont like having to open all the holes in the firewall so the outside IP is speaking directly to the machine inside or in the DMZ.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi We do "RP" with Fortigate within the loadbalance function.
config firewall vip edit "vs_https_owa" set type server-load-balance set extip xxx.xxx.xxx.xxx set extintf "wan1" set server-type ssl set monitor "https" set persistence ssl-session-id set extport 443 config realservers edit 1 set ip xxx.xxx.xxx.xxx set port 443 next end set ssl-mode full set ssl-certificate "your ssl certificate" set ssl-dh-bits 2048 set ssl-min-version tls-1.0 set ssl-client-renegotiation secure next
________________________________________________________
--- NSE 4 ---
________________________________________________________
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Marcus,
Forgive me if this is a stupid question, I'm curious how you got this working and whether it would work in my scenario. We have a fortigate 100D
I am wanting to setup https access to multiple webservers and also an ADFS Server that are sitting on my internal network.
site1.domain.com
Site2.domain.com
Site3.domain.com
ADFS.domain.com
I have a wildcard public certificate for domain.com. Is there anyway for the fortigate to know where to send the traffic?
Cheers
Nathan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nazz Sorry for the delay, was absent for a while. Yes, this should work in your scenario. In my opinion, the easy way, is to create a lodbalance vip for every site. This should work with your wildcard cert as well and you can decide which domain points to the corresponding webserver.
As I know, there is no way to redirect different URLs (with same IP) to different Servers. Hope it helps. Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need a real reverse proxy if you want host_header switching if you have one public_address. A Fortigate-RP is good for generic hosting but not the ideal candidate.
PCNSE
NSE
StrongSwan
