Hot!Reverse Proxy - HTTPS to HTTPS

Page: 12 > Showing page 1 of 2
Author
orani
Silver Member
  • Total Posts : 92
  • Scores: 1
  • Reward points: 0
  • Joined: 2019/07/11 12:54:18
  • Location: Athens
  • Status: offline
2019/07/11 14:14:09 (permalink)
0

Reverse Proxy - HTTPS to HTTPS

I try to use the load balancing module as a reverse proxy.
 
My goal is to protect the OWA of my exchange.
 
So. When i create a virtual server for HTTP (any port) from my external ip to any internal web server using HTTP (real server) and also creating the necessary ipv4 policy, it works fine.
 
But, when i try to create a virtual server for HTTPS (any port) or HTTP (any port) from my external ip to my exchange server using HTTPS (real server) and also creating the necessary ipv4 policy, it doesn't work.
 
When trying from a browser the url https://mypublicip or https://mypublicip:port i get the certificate warning of the browser and when i hit continue i am receiving an error for empty response and when i try http://mypublicip or http://mypublicip:port i get connection refused or connection timed out at my browser.
 
Ideally i would like to configure https to https senario. I am a little bit confused about the certificates i have to use.
 
When Microsoft exchange server is installed a sef-signed certificate is created. Is this the certificate i have to use to the firewall also? (export from exchange server and import to firewall??)
 
Any ideas...???
#1

21 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/11 23:28:04 (permalink)
    0
    I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:
    1) stop SSL full inspection for this flow
    2) install Fortinet CA on all computers
    3) change Fortinet CA to your CA if you have local certificate authority
    #2
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 01:24:32 (permalink)
    0
    hubertzw
    I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:
    1) stop SSL full inspection for this flow
    2) install Fortinet CA on all computers
    3) change Fortinet CA to your CA if you have local certificate authority




    1. at the ipv4 policy either i have no ssl inspection or i have a profile with fortinet ca cert and ssl cert inspection, and at the virtual server conf either i have full offloading or client<-->fgt, i got the same result.
    2. it is impossible to install the certificate to all computers because our mail users use the OWA from their homes also, so it is very difficult to install the cert there. But even if i tried to my laptop i couldn't access the server. Same response.
    3. i don't have any other certificate except from the self-signed cert of the microsoft exchange server 
    #3
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 02:11:43 (permalink)
    0
    When your policy doesn't have any SSL inspection and you see in the logs you are matching that one, you can't see
    Fortinet CA certificate. Something must be wrong. Can you verify it?
     
    What is your NAT mode? Policy or central NAT?
     
    Just in case: for the incoming traffic there is a different SSL profile required - protect server (or something similar, not 'multiple clients to multiple servers').
     
    #4
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 02:45:51 (permalink)
    0
    I use policy NAT. Trying to find logs for the specific policy i find this
     
    GeneralDate2019/07/12Time12:27:49Duration120sSession ID8003441Virtual DomainrootNAT TranslationSource & DestinationSourceIPmy home public ipNAT IP192.168.1.251 (firewall ip - internal interface)Source Port51562Country/RegionGreeceSource InterfaceVDSL 50 Mbps - Secondary (wan2)User DestinationIPmy public ipNAT IP192.168.1.241Port443Country/RegionGreeceDestination InterfaceInternal (port1)Application ControlApplication Name CategoryunscannedRiskundefinedProtocol6ServiceHTTPSDataReceived Bytes596 BReceived Packets7Sent Bytes513 BSent Packets6ActionActionAccept: session closePolicytest rp (73)Policy UUID3fd56bc2-a2f7-51e9-6327-3e357d61a979Policy TypepolicySecurityLevel CellularServiceHTTPSOtherSub TypeforwardLog event original timestamp1562923669Source Interface RolewanDestination Interface Roleundefined 
     
    I see that the traffic is accepted from the firewall but i get a "session close"
     
    I dont have any protect server profile
     
    Seeing the logs i understand that the traffic is passing the firewall but why i receive a session close?

    Attached Image(s)

    #5
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 03:32:42 (permalink)
    0
    Can you conform the policy ID from the log is the policy you attached?
    When you see the certificate warning, what is in the section 'issued by'?
    BTW, for the incoming traffic, in most cases, there is no reason to do NAT
    #6
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 03:57:55 (permalink)
    0
    Yes policy 73 is the policy i made for this traffic. 
     
    Issued by FG200E4Q17904532. Same also when receiving the empty response message.
     
    I also tried without nat by the result was the same.
    #7
    Dave Hall
    Expert Member
    • Total Posts : 1477
    • Scores: 163
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 07:29:57 (permalink)
    0
    Has the admin connection ports for the fgt itself been adjusted? 
     
    Something like:
     
    config system global
    set port-http 8080
    set port-https 8443
    end



     

    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #8
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 08:00:36 (permalink)
    0
    No. I have the default 80/443. But i tried to change the https port to 1443 and still getting the same error. Also tried to change the incoming port of virtual server and also the same result.
     
    Here let me tell that the public ip is not an interface ip but an ip from a 16 static ips range i got from my isp.
    #9
    Dave Hall
    Expert Member
    • Total Posts : 1477
    • Scores: 163
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 08:21:07 (permalink)
    0
    orani
    Here let me tell that the public ip is not an interface ip but an ip from a 16 static ips range i got from my isp.



    Perhaps a one-to-one IP pool needs to be set up for the reverse direction from the server (private IP) going out.
    post edited by Dave Hall - 2019/07/12 09:06:15

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #10
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 10:22:00 (permalink)
    0
    Ok. I made the ip pool and imported the pool to the policy nat as shown below, but still getting the same.

    Attached Image(s)

    #11
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 10:34:51 (permalink)
    0
    sorry my mistake.
     
    i made the reverse and do the nat as shown...
    #12
    Dave Hall
    Expert Member
    • Total Posts : 1477
    • Scores: 163
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 10:49:12 (permalink)
    0
    From what I can tell, you basically have a server behind the fgt that has a public IP that is separate from the fgt's own IP.  So you likely need to se up:
     
    1. A VIP (port forward) from the external IP to the private server IP
    2. A Firewall policy for the above
     
    3. IP address of the private server IP
    4. One-to-one IP pool for the External IP
    5. A firewall policy for the private server IP going out using the IP one-to-one pool.
     

     
     
     

    Attached Image(s)


    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #13
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 10:58:00 (permalink)
    0
    You are right. This is the scenario i use now but i don't use one-to-one ip pool but overload and it works perfect for me. But i dont want to distribute the mail server to the internet for OWA access so i need a reverse proxy for this. So i thought to use fgt's load balancing feature.
     
    This is why i am trying this.
    #14
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 12:57:32 (permalink)
    0
    What Dave said is: for outgoing traffic you can use pool or NAT with overload. For incoming traffic you don't need any NAT. Of course it isn't relevant to the error you see, just off topic.
     
    Regarding the error you have: can you explain how do you test it? The object 'test_exchange' doesn't look like VIP object. Can you run following diag commands during the test?
     
    diag debug flow filter addr YOUR-SOURCE-IP
    diag debug flow show console enable
    diag debug flow show function-name enable
    diag debug flow trace start 200
    diag debug enable
    #15
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 13:44:23 (permalink)
    0
    About how i am testing it, i try from outside of my company network (i.e my home network) to access the url https://mycompanypublicip
     
    The object "test exchange" is not a vip object but a virtual server object.
     

     
    This is a simplified image of my example.
    What i want is internet users have access to mail server (OWA).
    My running config is exactly what Dave said and it is working. But in this scenario i am distributing the web/mail server to the internet.
     
    My goal is to create a reverse proxy at the fortigate to avoid the above situation.
    So have done some things
    1. created a health check
    2. created a virtual SERVER (not vip) with
        a. Type = HTTPS
        b. Interface = Wan interface
        c. Virtual server ip = 1 ip form the range of the 16
        d. Virtual server port = 443
        e. LB Method = static
        f. Persistence = none
        g. SSL offloading = tried both
        h. Real Servers = 192.168.1.241 port 443 (my exchange server)
    3. created ipv4 policy as shown at previous posts with destination address the virtual server object.
     
    Thats all i have done.
    I dont know if i missing something.
    Is this the right procedure?
     
    ps i am not good with debug commands

    Attached Image(s)

    #16
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 13:53:46 (permalink)
    0
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server
     
    This is what i tried but with https/443 and not 8080 and http
    #17
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 15:02:55 (permalink)
    0
    Do you have more than one exchange server? I'm trying to understand why do you need load balancing.
     
    In the example you sent you need the VIP object as a destination. I don't think you set VIP as a destination in the firewall policy. Maybe you could share your config (without sensitive information) as it could help us to understand your scenario.
     
    #18
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/12 15:19:06 (permalink)
    0
    No, i have only one exchange server. I dont need load balancing. I need load balancing feature to use it as a reverse proxy.
     
    As for the example i know that i didnt use any vip object. Using a vip object works fine. But i would like to use virtual server object for reverse proxying as i mentioned before.
     
    Is this possible?
    #19
    orani
    Silver Member
    • Total Posts : 92
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: Reverse Proxy - HTTPS to HTTPS 2019/07/14 07:40:28 (permalink)
    0
    ?????
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5