- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
proxy.pac but no access to local WebSite
Hello @All,
We're using explicit Web Proxy with pac-File.
function FindProxyForURL(url,host){
if (shExpMatch(url,"*.domain.com/*")){
return "DIRECT";}
if (shExpMatch(url,"*domain.com:*/*")){
return "DIRECT";}
if (isInNet(host,"192.168.0.0","255.255.0.0")){
return "PROXY proxy.domain.com:8888";}
if (isInNet(host,"10.130.0.0","255.255.0.0")){
return "PROXY proxy.domain.com:8888";}
return "PROXY proxy.domain.com:8888";
}
Internet works but with local IP like https://192.168.190.5 I get access denied:
How can we fix that problem?
Many thanks in advance
TheBob
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello TBC,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Based on the output, do you have Proxy-policy to your local lan? This is some kind of "hairpin" proxy I guess.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adrian,
thanks for replay!
I'm not really know what you mean but yes we have proxy-policy and the user needs to log in with the AD-User/PWD to get access to the internet but not for local Intranet:
What you mean with "hairpin"?
Many thanks!
TheBob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Based on PAC configuration, traffic to local server 192.168.190.5 is going via proxy. And if my assumption is correct, this subnet is behind different port than wan2? So if it is behind port1 (example), you will need to have proxy-policy from explicit-web to port1 also. By the "hairpin" I meant that traffic is coming to FortiGate from local port and going back to the local port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adrian,
sorry for delay, I was thick yesterday.
So you mean I need to proxy-policy one with:
1. internet = Port 1 (internal) and Outgoing WAN Port to internet:
2. Intranet = Port 1 (internal) to Outgoing also Port 1.
Is that correct?
Many thanks!
TheBob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Yes, you will need proxy-policy for explicit-web-proxy with port1 as outgoing interface if that server is behind this port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have changed the proxy pac file to that one:
function FindProxyForURL(url,host){
if (shExpMatch(url,"*.domain.com/*")){
return "DIRECT";}
if (shExpMatch(url,"*domain.com:*/*")){
return "DIRECT";}
if (shExpMatch(url,"*gsm.domain.de:*/*")){
return "DIRECT";}
if (isInNet(host,"192.168.0.0","255.255.0.0")){
return "DIRECT";}
if (isInNet(host,"10.130.0.0","255.255.0.0")){
return "DIRECT";}
return "PROXY proxy.domain.com:8888";
}
"DIRECT" instant "PROXY proxy.domain.com:8888"
Many many thanks to you both for helping!!!
regards TheBob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Yes, this was other solution :) I was just assuming that you want to force traffic over proxy. Happy to help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Type the following commands:
ipconfig /flushdns and press Enter.
ipconfig /registerdns and press Enter.
ipconfig /release and press Enter.
ipconfig /renew and press Enter.
The source is here.