Proxy chaining (web proxy forwarding servers)

Proxy chaining (web proxy forwarding servers)

For the explicit web proxy you can configure web proxy forwarding servers to use proxy chaining to redirect web proxy sessions to other proxy servers. Proxy chaining can be used to forward web proxy sessions from the FortiGate unit to one or more other proxy servers on your network or on a remote network. You can use proxy chaining to integrate the FortiGate explicit web proxy with an web proxy solution that you already have in place.

A FortiGate unit can forward sessions to most web proxy servers including a remote FortiGate unit with the explicit web proxy enabled. No special configuration of the explicit web proxy on the remote FortiGate unit is required.

You can deploy the explicit web proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiGate unit, users at each of the satellite offices can use their local FortiGate unit as an explicit web proxy server. The satellite office FortiGate units can forward explicit web proxy sessions to an explicit web proxy server at the central office. From here the sessions can connect to web servers on the Internet.

FortiGate proxy chaining does not support authenticating with the remote forwarding server.

 

Adding a web proxy forwarding server

To add a forwarding server, select Create New in the Web Proxy Forwarding Servers section of the ExpliciProxy page by going to Network > Explicit Proxy.

Server Name             Enter the name of the forwarding server.

Proxy Address         Enter the IP address of the forwarding server.

Proxy Address Type

Select the type of IP address of the forwarding server. A forwarding server can have an FQDN or IP address.

 

Port

Enter the port number on which the proxy receives connections. Traffic leaving the FortiGate explicit web proxy for this server has its destination port number changed to this number.
Server Down action

Select what action the explicit web proxy to take if the forwarding server is down.

 

Block means if the remote server is down block traffic.

 

Use Original Server means do not forward traffic to the forwarding sever but instead forward it from the FortiGate to its destination. In other words operate as if there is no forwarding server configured.

 

Enable Health

Monitor                     Select to enable health check monitoring and enter the address of a remote site. See

 

Health Check

Monitor Site

“Web proxy forwarding server monitoring and health checking”.

 

Use the following CLI command to add a web proxy forwarding server named fwd-srv at address proxy.example.com and port 8080.

 

config web-proxy forward-server

 

edit fwd-srv

set addr-type fqdn

set fqdn proxy.example.com set port 8080

end

 

Web proxy forwarding server monitoring and health checking

By default, a FortiGate unit monitors web proxy forwarding server by forwarding a connection to the remote server every 10 seconds. If the remote server does not respond it is assumed to be down. Checking continues and when the server does send a response the server is assumed to be back up. If you configure health checking, every 10 seconds the FortiGate unit attempts to get a response from a web server by connecting through the remote forwarding server.

You can configure health checking for each remote server and specify a different website to check for each one. If the remote server is found to be down you can configure the FortiGate unit to block sessions until the server comes back up or to allow sessions to connect to their destination, bypassing the remote forwarding server. You cannot configure the FortiGate unit to fail over to another remote forwarding server.

Configure the server down action and enable health monitoring from the web-based manager by going to Network > Explicit Proxy, selecting a forwarding server, and changing the server down action and changing the health monitor settings.

Use the following CLI command to enable health checking for a web proxy forwarding server and set the server down option to bypass the forwarding server if it is down.

config web-proxy forward-server edit fwd-srv

set healthcheck enable

set monitor http://example.com set server-down-option pass

end

 

Grouping forwarding servers and load balancing traffic to them

You can add multiple web proxy forwarding servers to a forwarding server group and then add the server group to an explicit web proxy policy instead of adding a single server. Forwarding server groups are created from the FortiGate CLI but can be added to policies from the web-based manager (or from the CLI).

When you create a forwarding server group you can select a load balancing method to control how sessions are load balanced to the forwarding servers in the server group. Two load balancing methods are available:

  • Weighted load balancing sends more sessions to the servers with higher weights. You can configure the weight for each server when you add it to the group.
  • Least-session load balancing sends new sessions to the forwarding server that is processing the fewest sessions.

When you create a forwarding server group you can also enable affinity. Enable affinity to have requests from the same client processed by the same server. This can reduce delays caused by using multiple servers for a single multi-step client operation. Affinity takes precedence over load balancing.

You can also configure the behavior of the group if all of the servers in the group are down. You can select to block traffic or you can select to have the traffic pass through the FortiGate explicit proxy directly to its destination instead of being sent to one of the forwarding servers.

Use the following command to add a forwarding server group that users weighted load balancing to load balance traffic to three forwarding servers. Server weights are configured to send most traffic to server2. The group has affinity enabled and blocks traffic if all of the forward servers are down:

config web-proxy forward-server edit server_1

set ip 172.20.120.12 set port 8080

next

edit server_2

set ip 172.20.120.13 set port 8000

next

edit server_3

set ip 172.20.120.14 set port 8090

next end

config web-proxy forward-server-group edit New-fwd-group

set affinity enable set ldb-method weight

set group-down-option block config server-list

edit server_1 set weight 10

next

edit server_2 set weight 40

next

edit server_3 set weight 10

next

end

 

Adding proxy chaining to an explicit web proxy policy

You enable proxy chaining for web proxy sessions by adding a web proxy forwarding server or server group to an explicit web proxy policy. In a policy you can select one web proxy forwarding server or server group. All explicit web proxy traffic accepted by this security policy is forwarded to the specified web proxy forwarding server or server group.

 

To add an explicit web proxy forwarding server – web-based manager:

1. Go to Policy & Objects > Explicit Proxy Policy and select Create New.

2. Configure the policy:

 

Explicit Proxy Type                  Web

Source Address                        Internal_subnet

Outgoing Interface                   wan1

Destination Address                 all

Schedule                                    always

Action                                         ACCEPT

Web Proxy Forwarding

Server

Select, fwd-srv

3. Select OK to save the security policy.

 

To add an explicit web proxy forwarding server – CLI:

1. Use the following command to add a security policy that allows all users on the 10.31.101.0 subnet to use the explicit web proxy for connections through the wan1 interface to the Internet. The policy forwards web proxy sessions to a remote forwarding server named fwd-srv

config firewall explicit-proxy-policy edit 0

set proxy web

set dstintf wan1

set scraddr Internal_subnet set dstaddr all

set action accept set schedule always

set webproxy-forward-server fwd-srv end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.