Wednesday, August 2, 2017

Turn Around Explicit Proxy on the public_internet

While working outside of the USA, I 've found issues with  accessing various internet sites that where being blocked based on geoip filtering. So I finally  put together a format that works by  using a USA based fortigate as a explicit proxy.

In the past I've used  the simple polipo and squid proxies which works great but requires slightly more configuration effort on the enduser. The forage has a simple proxy function that can easily be deploy with or without authentication.

In this post, I will show you how to use a fortigate sitting at a remote-location as a explicit proxy. Doing this will allow you  navigate  any geoip filter that might prevent  access based on the country of  the enduser web client.

Take this topology where various  web clients are actually off the local corporate network.

Here, the wan1 public address will be enabled for explicit proxy. We  will use  authentication  via LDAP for the actual users.

1st ( enable explicit proxy  and set up a profile )

NOTE: the  realm "SOCPUPPETS_PROXY_EXP" will be presented  in the web-browser  authentication input box.


Now we only need a  policy and with configured identity-policy , here we have a user kfelix ( authenticated locally ) and  group named "PROXYUSERS" which are authenticate by LDAP. You could even used radius.

Lastly,  you can use any of the  whatismybrowser sending websites   to insect VIA headers after configuring your  web-client

If you don't want the  default.fqdn line just set the proxy_strings in the explicit proxy global settings.

config web-proxy global
    set proxy-fqdn ""


In the explicit policy if you set the src_address to a specific address(es) and some one of that range tries access thru the proxy, they will receive a similar reject message.

The above is a solid method securing   Explicit proxy access. You can even chain  forward-proxy if you have existing proxies that are blocked based on geoip lookups.

Enjoy ;)

Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment