Hot!Reverse Proxy Question

Author
jrpayne
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/09/03 09:00:02
  • Status: offline
2017/04/05 08:34:00 (permalink)
0

Reverse Proxy Question

First of all let me say that I am not a reverse proxy expert but I am trying to secure our network. Right now I use the VIP option for server sitting in the DMZ. However, if possible I would like to move to a reverse proxy option and get rid of all vip group. I don't have any idea whether or not this is even feasible. Does anyone send their external request to a reverse proxy before send them inbound to the actual device. Any response will be greatly appreciated.
#1

7 Replies Related Threads

    CBaezLe
    New Member
    • Total Posts : 17
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/01/21 04:17:12
    • Status: offline
    Re: Reverse Proxy Question 2017/04/05 20:38:27 (permalink)
    0
    Are you trying to RP with a Fortigate? 
    As far as I know, FortiWeb is the solution that you're looking for. See datasheet HERE
     
    Cheers.
    #2
    jrpayne
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2009/09/03 09:00:02
    • Status: offline
    Re: Reverse Proxy Question 2017/04/07 05:48:58 (permalink)
    0
    Yes I knew that they had that product however, from what I understand the Fortigate itself is supposed to do reverse proxying as well. I was just trying to find someone that may have used it for that purpose before and how they did it.  I really dont like having to open all the holes in the firewall so the outside IP is speaking directly to the machine inside or in the DMZ.
    #3
    CBaezLe
    New Member
    • Total Posts : 17
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/01/21 04:17:12
    • Status: offline
    Re: Reverse Proxy Question 2017/04/16 15:09:26 (permalink)
    0
    jrpayne
    Yes I knew that they had that product however, from what I understand the Fortigate itself is supposed to do reverse proxying as well. I was just trying to find someone that may have used it for that purpose before and how they did it.  I really dont like having to open all the holes in the firewall so the outside IP is speaking directly to the machine inside or in the DMZ.



    Oh, ok! So, did you find a way to RP with the Fortigate? I could really use the info.
     
    Thanks!
    #4
    Markus
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Status: offline
    Re: Reverse Proxy Question 2017/04/18 00:49:58 (permalink)
    0
    Hi
    We do "RP" with Fortigate within the loadbalance function.
    config firewall vip
    edit "vs_https_owa"
            set type server-load-balance
            set extip xxx.xxx.xxx.xxx
            set extintf "wan1"
            set server-type ssl
            set monitor "https"
            set persistence ssl-session-id
            set extport 443
                config realservers
                    edit 1
                        set ip xxx.xxx.xxx.xxx
                        set port 443
                    next
                end
            set ssl-mode full
            set ssl-certificate "your ssl certificate"
            set ssl-dh-bits 2048
            set ssl-min-version tls-1.0
            set ssl-client-renegotiation secure
        next
    #5
    nazz61
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/17 18:41:14
    • Status: offline
    Re: Reverse Proxy Question 2017/07/19 22:20:58 (permalink)
    0
    Hi Marcus,
     
    Forgive me if this is a stupid question, I'm curious how you got this working and whether it would work in my scenario. We have a fortigate 100D
     
    I am wanting to setup https access to multiple webservers and also an ADFS Server that are sitting on my internal network. 
    site1.domain.com
    Site2.domain.com
    Site3.domain.com
    ADFS.domain.com
     
    I have a wildcard public certificate for domain.com. Is there anyway for the fortigate to know where to send the traffic? 
     
    Cheers
    Nathan
    #6
    Markus
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Status: offline
    Re: Reverse Proxy Question 2017/09/12 23:42:30 (permalink)
    0
    Hi Nazz

    Sorry for the delay, was absent for a while.

    Yes, this should work in your scenario. In my opinion, the easy way, is to create a lodbalance vip for every site. This should work with your wildcard cert as well and you can decide which domain points to the corresponding webserver.
     
    As I know, there is no way to redirect different URLs (with same IP) to different Servers.

    Hope it helps.

    Best,
    Markus
    #7
    emnoc
    Expert Member
    • Total Posts : 4215
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Reverse Proxy Question 2017/09/13 07:20:55 (permalink)
    5 (1)
    You need a real reverse  proxy if you want  host_header switching if you have one  public_address. A  Fortigate-RP is good for generic  hosting but not the ideal candidate.

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #8
    Jump to:
    © 2017 APG vNext Commercial Version 5.5