Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Proxy chaining

Proxy chaining

For explicit web proxy, you can configure proxy chaining by setting up a series of forwarding servers to redirect HTTP/HTTPS, FTP, and SOCKS proxy sessions from the FortiProxy unit to a remote network or other proxy servers on your network, including a remote FortiProxy unit with explicit proxy enabled. You can use proxy chaining to integrate the FortiProxy explicit proxy with a proxy solution that you already have in place.

You can deploy the explicit proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiProxy unit, users at each of the satellite offices can use their local FortiProxy unit as an explicit proxy server. The satellite office FortiProxy units can forward explicit proxy sessions to an explicit proxy server at the central office. From here the sessions can connect to web servers on the Internet.

note icon

FortiProxy proxy chaining does not support proxies in the proxy chain authenticating each other.
To configure proxy chaining:

  1. Make sure explicit proxy is enabled:

    • GUI—Navigate to the System > Feature Visibility page and check the Explicit Proxy option in the Core Features column.

    • CLI—Enable the set explicit-web-proxy option in the config system interface command.

  2. If you do not have an explicit proxy already, configure one and make sure it is enabled:
  3. Create a Forwarding Server:
  4. Repeat step 3 for each additional forwarding server you want to add to the proxy chain. Make sure you configure the forwarding servers in sequence so that each one acts as the destination of the previous server and source of the next server.
  5. (Optional) Use the config web-proxy forward-server-group command to create a forwarding server group to host all the forwarding servers you just created. Doing so saves some management overhead, especially in case of a large number of forwarding servers. Refer to Grouping forwarding servers and load balancing traffic to the servers for more details.
  6. Configure an explicit policy and add the forwarding servers or forwarding server group to the policy:

    All explicit proxy traffic accepted by this policy will then be forwarded to the specified forwarding server or server group. For example, the following configuration adds a policy that allows all users on the 10.31.101.0 subnet to use the explicit proxy for connections through the wan1 interface to the Internet. The policy forwards proxy sessions to a remote forwarding server named fwd-srv.

    config firewall policy
	edit 0
		set type explicit-web
		set dstintf "wan1"
		set srcaddr "Internal_subnet"
		set dstaddr "all"
		set service "webproxy"
		set action accept
		set schedule "always"
		set webproxy-forward-server "fwd-srv"
	next
end

Example: Using TLS 1.3 with chaining proxy forwarding servers

The following example involves a proxy chain of the Squid server and the FortiProxy, both of which can handle TLS 1.3 traffic.

The following output from the Squid server demonstrates that the FortiProxy forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.

Previous
Next

Proxy chaining

For explicit web proxy, you can configure proxy chaining by setting up a series of forwarding servers to redirect HTTP/HTTPS, FTP, and SOCKS proxy sessions from the FortiProxy unit to a remote network or other proxy servers on your network, including a remote FortiProxy unit with explicit proxy enabled. You can use proxy chaining to integrate the FortiProxy explicit proxy with a proxy solution that you already have in place.

You can deploy the explicit proxy with proxy chaining in an enterprise environment consisting of small satellite offices and a main office. If each office has a FortiProxy unit, users at each of the satellite offices can use their local FortiProxy unit as an explicit proxy server. The satellite office FortiProxy units can forward explicit proxy sessions to an explicit proxy server at the central office. From here the sessions can connect to web servers on the Internet.

note icon

FortiProxy proxy chaining does not support proxies in the proxy chain authenticating each other.
To configure proxy chaining:

  1. Make sure explicit proxy is enabled:

    • GUI—Navigate to the System > Feature Visibility page and check the Explicit Proxy option in the Core Features column.

    • CLI—Enable the set explicit-web-proxy option in the config system interface command.

  2. If you do not have an explicit proxy already, configure one and make sure it is enabled:
  3. Create a Forwarding Server:
  4. Repeat step 3 for each additional forwarding server you want to add to the proxy chain. Make sure you configure the forwarding servers in sequence so that each one acts as the destination of the previous server and source of the next server.
  5. (Optional) Use the config web-proxy forward-server-group command to create a forwarding server group to host all the forwarding servers you just created. Doing so saves some management overhead, especially in case of a large number of forwarding servers. Refer to Grouping forwarding servers and load balancing traffic to the servers for more details.
  6. Configure an explicit policy and add the forwarding servers or forwarding server group to the policy:

    All explicit proxy traffic accepted by this policy will then be forwarded to the specified forwarding server or server group. For example, the following configuration adds a policy that allows all users on the 10.31.101.0 subnet to use the explicit proxy for connections through the wan1 interface to the Internet. The policy forwards proxy sessions to a remote forwarding server named fwd-srv.

    config firewall policy
	edit 0
		set type explicit-web
		set dstintf "wan1"
		set srcaddr "Internal_subnet"
		set dstaddr "all"
		set service "webproxy"
		set action accept
		set schedule "always"
		set webproxy-forward-server "fwd-srv"
	next
end

Example: Using TLS 1.3 with chaining proxy forwarding servers

The following example involves a proxy chain of the Squid server and the FortiProxy, both of which can handle TLS 1.3 traffic.

The following output from the Squid server demonstrates that the FortiProxy forwards the hello retry request back to the client PC. The client PC then sends the client hello again, and the connection is successfully established.

Previous
Next