Hello @All,
We're using explicit Web Proxy with pac-File.
function FindProxyForURL(url,host){
if (shExpMatch(url,"*.domain.com/*")){
return "DIRECT";}
if (shExpMatch(url,"*domain.com:*/*")){
return "DIRECT";}
if (isInNet(host,"192.168.0.0","255.255.0.0")){
return "PROXY proxy.domain.com:8888";}
if (isInNet(host,"10.130.0.0","255.255.0.0")){
return "PROXY proxy.domain.com:8888";}
return "PROXY proxy.domain.com:8888";
}
Internet works but with local IP like https://192.168.190.5 I get access denied:
How can we fix that problem?
Many thanks in advance
TheBob
Hello TBC,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello,
Based on the output, do you have Proxy-policy to your local lan? This is some kind of "hairpin" proxy I guess.
Hello Adrian,
thanks for replay!
I'm not really know what you mean but yes we have proxy-policy and the user needs to log in with the AD-User/PWD to get access to the internet but not for local Intranet:
What you mean with "hairpin"?
Many thanks!
TheBob
Hi.
Based on PAC configuration, traffic to local server 192.168.190.5 is going via proxy. And if my assumption is correct, this subnet is behind different port than wan2? So if it is behind port1 (example), you will need to have proxy-policy from explicit-web to port1 also. By the "hairpin" I meant that traffic is coming to FortiGate from local port and going back to the local port.
Hello Adrian,
sorry for delay, I was thick yesterday.
So you mean I need to proxy-policy one with:
1. internet = Port 1 (internal) and Outgoing WAN Port to internet:
2. Intranet = Port 1 (internal) to Outgoing also Port 1.
Is that correct?
Many thanks!
TheBob
Hello,
Yes, you will need proxy-policy for explicit-web-proxy with port1 as outgoing interface if that server is behind this port.
I have changed the proxy pac file to that one:
function FindProxyForURL(url,host){
if (shExpMatch(url,"*.domain.com/*")){
return "DIRECT";}
if (shExpMatch(url,"*domain.com:*/*")){
return "DIRECT";}
if (shExpMatch(url,"*gsm.domain.de:*/*")){
return "DIRECT";}
if (isInNet(host,"192.168.0.0","255.255.0.0")){
return "DIRECT";}
if (isInNet(host,"10.130.0.0","255.255.0.0")){
return "DIRECT";}
return "PROXY proxy.domain.com:8888";
}
"DIRECT" instant "PROXY proxy.domain.com:8888"
Many many thanks to you both for helping!!!
regards TheBob
Hello,
Yes, this was other solution :) I was just assuming that you want to force traffic over proxy. Happy to help.
Type the following commands:
ipconfig /flushdns and press Enter.
ipconfig /registerdns and press Enter.
ipconfig /release and press Enter.
ipconfig /renew and press Enter.
The source is here.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.