Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎08-20-2010 05:25 AM Edited on ‎03-25-2022 10:25 AM By Anonymous

Article Id 189657

Technical Tip : How to configure the browser to a Proxy server when running SSL VPN tunnel

Purpose
This article describes how to configure the browser to direct traffic to a Proxy Server when running a SSL VPN tunnel.
Scope
FortiGate or VDOM in NAT mode
Diagram
PC Client (Public IP) <==> (Public IP) FortiGate (Internal IP) <--> Proxy Server  <--> Router
192.168.182.128             172.31.224.196       10.168.0.196       10.168.0.97:3128
Expectations, Requirements

  • Establish an SSL VPN tunnel to the FortiGate.
  • Configure the web browser of the PC to send the traffic to a proxy server.
  • PC traffic will be transferred to the proxy server through a SSL VPN tunnel.


Configuration

PC configuration

1. If using 'Internet Explorer'

Tools > Internet Options> Connections>
-  Choose Settings if you need to configure a proxy server for a connection> select 'Never dial a connection'
-  Dial-up and Virtual Network settings> select 'fortissl' driver and click on 'Settings'
   Proxy server> Use a proxy server for this connection
   Address = 10.168.0.97 (Proxy server)
   Port 3128
-  Select 'Advanced' and add an Exception> Do not use proxy server for address beginning with:
   172.31.224.196 (IP address of FortiGate to connect SSL VPN tunnel)
-  LAN settings --> Not used to access Proxy protected by FortiGate 
 
2. If using 'Mozilla Firefox'

Tools> Options> Advanced> Network> Connection Settings> Configure Proxies to Access the Internet
-  Manual proxy configuration:
   HTTP Proxy = 10.168.0.97
   Port 3128
   No Proxy for localhost, 127.0.0.1, 172.31.224.196 (IP address of FortiGate to connect SSL VPN tunnel)

3. Open SSL VPN tunnel https:\\172.31.224.196:10443 and authenticate with Fortinet user
PC  Default Gateway:          10.0.0.1 (Tunnel IP address Interface)

FortiGate configuration, standard SSL VPN config
config firewall policy
    edit 1
        set srcintf "wan1"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action ssl-vpn
        set nat enable
            config identity-based-policy
                edit 1
                        set groups "grp-sll"
                    set schedule "always"
                        set service "ANY"
                next
            end
    next
    edit 2
        set srcintf "ssl.root"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "vlan168"
        set action accept
        set schedule "always"
            set service "ANY"
        set nat enable
    next
end
config router static
    edit 1
        set device "wan1"
        set gateway 172.31.225.254
    next
    edit 2
        set device "ssl.root"
        set dst 10.0.0.0 255.255.255.0
    next
end
config user group
    edit "grp-sll"
        set group-type sslvpn
            set member "fortinet"
        set sslvpn-portal "full-access"
    next
end
config vpn ssl settings
    set sslvpn-enable enable
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end

 

Labels:
7986
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.