Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TBC
Contributor

proxy.pac but no access to local WebSite

Hello @All,

 

We're using explicit Web Proxy with pac-File.

 

function FindProxyForURL(url,host){
    if (shExpMatch(url,"*.domain.com/*")){
        return "DIRECT";}
    if (shExpMatch(url,"*domain.com:*/*")){
        return "DIRECT";}
    if (isInNet(host,"192.168.0.0","255.255.0.0")){
        return "PROXY proxy.domain.com:8888";}
	if (isInNet(host,"10.130.0.0","255.255.0.0")){
        return "PROXY proxy.domain.com:8888";}
    return "PROXY proxy.domain.com:8888";
}

 

 Internet works but with local IP like https://192.168.190.5 I get access denied:

 

TBC_0-1663328330033.png

 

How can we fix that problem?

 

Many thanks in advance

TheBob

 

9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Hello TBC,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
akristof
Staff
Staff

Hello,

Based on the output, do you have Proxy-policy to your local lan? This is some kind of "hairpin" proxy I guess.

Adrian
TBC

Hello Adrian,

thanks for replay!

I'm not really know what you mean but yes we have proxy-policy and the user needs to log in with the AD-User/PWD to get access to the internet but not for local Intranet:

TBC_0-1663569305302.png

 

What you mean with "hairpin"?

Many thanks!

TheBob

 

akristof

Hi.

Based on PAC configuration, traffic to local server 192.168.190.5 is going via proxy. And if my assumption is correct, this subnet is behind different port than wan2? So if it is behind port1 (example), you will need to have proxy-policy from explicit-web to port1 also. By the "hairpin" I meant that traffic is coming to FortiGate from local port and going back to the local port.

Adrian
TBC

Hello Adrian,

sorry for delay, I was thick yesterday.

So you mean I need to proxy-policy one with:

1. internet = Port 1 (internal) and Outgoing WAN Port to internet:

2. Intranet = Port 1 (internal) to Outgoing also Port 1.

 

Is that correct?

Many thanks!

TheBob

akristof

 Hello,

Yes, you will need proxy-policy for explicit-web-proxy with port1 as outgoing interface if that server is behind this port.

Adrian
TBC

I have changed the proxy pac file to that one:

function FindProxyForURL(url,host){
    if (shExpMatch(url,"*.domain.com/*")){
        return "DIRECT";}
    if (shExpMatch(url,"*domain.com:*/*")){
        return "DIRECT";}
	if (shExpMatch(url,"*gsm.domain.de:*/*")){
        return "DIRECT";}
    if (isInNet(host,"192.168.0.0","255.255.0.0")){
        return "DIRECT";}
	if (isInNet(host,"10.130.0.0","255.255.0.0")){
        return "DIRECT";}
    return "PROXY proxy.domain.com:8888";
}

 "DIRECT" instant "PROXY proxy.domain.com:8888"

 

Many many thanks to you both for helping!!!

 

regards TheBob

akristof

Hello,

Yes, this was other solution :) I was just assuming that you want to force traffic over proxy. Happy to help.

Adrian
Coreywilliams
New Contributor

Type the following commands:
ipconfig /flushdns and press Enter.
ipconfig /registerdns and press Enter.
ipconfig /release and press Enter.
ipconfig /renew and press Enter.

 

The source is here.

Labels
Top Kudoed Authors