Technical Tip: Configuring explicit web proxy with FSSO

bmeta · ‎03-25-2015

Description

This article describes how to configure FortiGate to act as an explicit web proxy.
FSSO, as passive authentication, is used to collect user logon event from active directory.

Related link:
Explicit proxy authentication

Scope

FortiGate.

Solution

The FortiGate acts as an Explicit Web Proxy granting Internet Access to FSSO users. Settings displayed here are an example.
Fortinet Single Sign-On settings:

Enable Explicit Proxy.

From GUI:
Go to System -> Feature Visibility.

From CLI:

config system settings
set gui-explicit-proxy enable
end

Enable Explicit Web Proxy.

From GUI:
Go to Network -> Explicit Proxy -> Enable Web Proxy. Select the Interface on which to listen.

From CLI:

config web-proxy explicit
set status enable
set http-incoming-port 8080
end

Create an Authentication Scheme.

config authentication scheme

edit "NewFSSO"

set method fsso next

end

Create an Authentication RULE.

config authentication rule
    edit "AuthRule"
        set srcaddr "WindowsAD" "WindowsCLIENT"          <-----(which source addresses this rule match to?)
        set sso-auth-method "NewFSSO"
    next
end

Related link:

Explicit proxy authentication

Create a Proxy Policy.

config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "WindowsAD" "WindowsCLIENT"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set groups "FSSO_Group1" (created in step 1)
    next
end

Configure the Browser/System for Explicit Web Proxy.

Monitoring.

Whereas as g_id, pol_id are dynamic in this view and can change if other policies with different address objects are hit.

diag firewall auth list

It gives a good result, but also shows the combination in the GUI under the Monitoring widget (starting 6.4) or the Monitoring section (6.2 and lower).

Related article:

Technical Tip: FSSO advanced mode with explicit proxy