In the past I've used the simple polipo and squid proxies which works great but requires slightly more configuration effort on the enduser. The forage has a simple proxy function that can easily be deploy with or without authentication.
In this post, I will show you how to use a fortigate sitting at a remote-location as a explicit proxy. Doing this will allow you navigate any geoip filter that might prevent access based on the country of the enduser web client.
Take this topology where various web clients are actually off the local corporate network.
Here, the wan1 public address will be enabled for explicit proxy. We will use authentication via LDAP for the actual users.
1st ( enable explicit proxy and set up a profile )
NOTE: the realm "SOCPUPPETS_PROXY_EXP" will be presented in the web-browser authentication input box.
e.g
Now we only need a policy and with configured identity-policy , here we have a user kfelix ( authenticated locally ) and group named "PROXYUSERS" which are authenticate by LDAP. You could even used radius.
Lastly, you can use any of the whatismybrowser sending websites to insect VIA headers after configuring your web-client
If you don't want the default.fqdn line just set the proxy_strings in the explicit proxy global settings.
config web-proxy global
set proxy-fqdn "socpuppets_proxy.socpuppets.com"
end
e.g
In the explicit policy if you set the src_address to a specific address(es) and some one of that range tries access thru the proxy, they will receive a similar reject message.
The above is a solid method securing Explicit proxy access. You can even chain forward-proxy if you have existing proxies that are blocked based on geoip lookups.
Enjoy ;)
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment