[Configuration] Explicit Proxy for flight Tower firewall

Explicit Proxy is one of the many excellent features of FortiGate firewall integration, the following is a simple configuration of explict firewall. The article only describes the part of the deployment Web Proxy, the FTP proxy configuration process is similar, here first skip.

Background:

2. The recent use of China Unicom's network to visit some of the work commonly used in foreign sites is very difficult, webpage response time is long, and even can not load Web pages.

   1. Some colleagues in some departments need to download some documents sent by foreign colleagues, many of them are shared through the foreign cloud services, such as Dropbox,google docs,onedrive and so on;

   2. A department colleague works commonly used sites, such as Webex.com,netsuite.com, Microsoft's CRM site;

   3. Foreign companies commonly used search engine google.com and so on. We all know that relying on Baidu is very difficult to search for new and valuable technical data;

4. Solution:

   1. Agent;

   2. VPN;

   3. Foreign Office provides VMS to domestic users for remote use and so on;

      
      

      Here I used to mainly use a proxy server, SQUID for Windows, Not using the Linux version of Squid mainly because the company is familiar with the Linux colleagues are not many, afraid later maintenance more difficult. My previous squid configured NTLM authentication, within the company through the domain environment management, so open permissions for users more convenient. Since the version of Squid for Windows is very old, it is not updated until after 2.7. It happened that the front-end time has just helped the company to replace the FortiGate NGFW, after foreign colleagues prompted, NGFW built-in explicit proxy, very fresh feeling. There was also the idea of leaving squid, so it was studied.

      
      

6. The configuration steps are roughly divided into the following sections:

   1. Enable explicit feature;

   2. Enable WAN optimization feature;

   3. Configure the port used by the explicit proxy;

   4. Enable explicit proxy web support in the required interface;

   5. Configure the service used by explicit proxy;
      

   6. Configure explicit policy;

   7. Configure RADIUS authentication user, convenient permission management;

      1. Configure Windows NPS as a RADIUS server;

      2. Set up the appropriate group in Active Directory for assigning permissions;

Environmental information:

• FortiGate 200D;

• Fortios 5.2;

• Use 56789 as the service port of explicit proxy;

• Use Windows Active Directory to set up RADIUS server to authenticate users through Windows NPS;
  

The following are the specific configuration procedures:

2. Enables explicit feature, when enabled, such as:

   1. GUI configuration via web login FW;

   2. System->config->features;

   3. Enable Wan Opt. & Cache in basic features;

   4. Enable explicit Proxy in security features;

      650) this.width=650; src= http://s3.51cto.com/wyfs02/M02/57/90/ Wkiom1sdgkfgsa9vaartqyqhnga401.jpg "title=" Enable-features "alt=" wkiom1sdgkfgsa9vaartqyqhnga401.jpg "/>
      

4. Configure the service port used by the explicit proxy, as shown in;

   1. Expand System->network->explicit Proxy

   2. Tick Http/https in the Enable Web explicit proxy project;

   3. Enter 56789 in the HTTP port;

   4. Keep the default setting at HTTPS port 0;

   5. In the Realm field, type the text you want to appear in the prompt window, such as "Please enter your domain credentials";

   6. The other options on this page remain the default;

      650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/57/90/wKiom1SdhRvAhQmXAAFGbW2Z5SQ579.jpg "title=" screen Shot 2014-12-26 at 23.52.04.png "alt=" Wkiom1sdhrvahqmxaafgbw2z5sq579.jpg "/>
      

5. Select the interface that listens for explicit proxy request;

   2. You can click the Edit button on the right side of listen on Interfaces directly in the previous step, or system->network->interfaces;

   4. First, the local network is enabled explicit proxy feature, which is a necessary step;

      1. I am here for LAN network;

      2. Double-click LAN;

      3. Tick enable explicit Web proxy;

      4. Other interface in the same place tick;

         1. The author here will explicit proxy set in the foreign HQ, the domestic network and HQ through the Lan-2-lan VPN connection, so I need to this Lan-2-lan VPN interface enable explicit Web proxy;

   6. 650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/57/90/wKiom1Sdh-jx43qjAAIK4g5y_Ps874.jpg "title=" screen Shot 2014-12-27 at 00.05.52.png "alt=" Wkiom1sdh-jx43qjaaik4g5y_ps874.jpg "/>

7. 1. I did an experiment here, tested only open requests to the Internet to forward port ports 80 and 443, to improve security, But how specific security is not yet understood;

   2. The default WebProxy service is two points:

      1. Allow all protocol requests;

      2. Allow requests to any destination port;

   3. The author defines two services:

      1. Allow requests for any service;

      2. Responds only to requests for destination ports 80 and 443;

   4. Service name Webproxy-80,servi The CE type is explicit proxy, which needs attention. Port of destination is filled in 80. Similarly create a new service with Port set to 443;
      

      
      

      
      

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/57/90/wKiom1SdiUjzM0NcAAGPfeVUYHM609.jpg "title=" screen Shot 2014-12-26 at 22.55.20.png "alt=" Wkiom1sdiujzm0ncaagpfevuyhm609.jpg "/>

Configure the user group for explicit Web proxy:

1. Here you want people who have already set up a responsive user group in Active Directory , the author's user group name is PROXYUSER_CN, and the user who will need to use explicit Web proxy joins the group;

2. Then needs to specify the information about the radius;

   1. System->user & Device->authentication->radius servers;

   2. Create a new RADIUS server, name the RADIUS server, enter the FQDN or IP address of the RADIUS servers;

   3. Enter the secret that you set in the RADIUS server, where I recommend that you use the secret generator built by Windows NPS to generate a high-complexity secret with a length of 64bit, and save it properly;

   4. Other items do not change, click OK;

3. System->user & device->user->user Groups

   1. Create a new user group to name the group;

   2. Type is firewall;

   3. Add remote server New radius for us in the previous step server;

   4. Other items remain unchanged, save settings;

Configuring explicit policy, here is a special need to pay attention to the entire configuration process. Not because the process is difficult or how hard to understand, but because the GUI is unable to complete the configuration, because through the FW itself GUI program cannot configure the service that the policy needs to use. The author has submitted this issue as a bug to customer service, but the reply provided by support is that the switch to configure the service is hidden and can only be configured via the CLI. I'm not buying this answer, because if you use Forti Manager, you can configure the service that the policy needs to use under the GUI by Forti Manager's management interface.

2. The specific configuration process, you can refer to the official documentation, I here will be the command I configured to paste as follows, for your reference:

   
   

3. fw # config firewall explicit-proxy-policy  fw  (Explicit-proxy-p~icy)   # edit 0new entry  ' 0 '  added FW  (0)  # set proxy web   FW  (0)  # set dstintf wan1  FW  (0)  # set  srcaddr  network address that requires proxy   FW  (0)  # set dstaddr all  FW  (0 )  # set action accept  FW  (0)  # set service webproxy-80  webproxy-443  here is the two service we built in the previous step. It's the one that's not implemented in fortios 5.2 through the GUI;  fw  (0)  # set webcache enable   fw  (0)  # set identity-based enable  FW  (0)  # set  ip-based disable  fw  (0)  # SET ACTIVE-AUTH-METHOD BASIC  FW   (0)  # config identity-based-policy  FW  (identity-based-P~icy)  # edit 0new entry  ' 0 '  added FW  (0)  # set groups   The name of the ad group you defined;  fw  (0)  # set schedule always  FW  (0)  # set utm-status enable, non-essential items   FW  (0)  # set  webfilter-profile  your customized policy, this article is not necessary;  fw  (0)  # set profile-protocol-options  default , non-essential entries; fw  (0)  # end FW  (0)  # end

   
   

Here the FW end configuration is basically over, and the rest is testing the connectivity between FW and radius. Here I recommend that you test through the CLI, the test command is: Diagnose test authserver radius radius-name authentication-protocol username Password about configuring Windows NPS as a RADIUS server for explicit Web proxy, because this process applies to the validation of many features of the FortiGate firewall, we will write an article separately later, so please look forward to it.

This article from the "Dream-dependent practice-Original only" blog, reproduced please contact the author!

[Configuration] Explicit Proxy for flight Tower firewall