Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
orani
Contributor II

Reverse Proxy - HTTPS to HTTPS

I try to use the load balancing module as a reverse proxy.

 

My goal is to protect the OWA of my exchange.

 

So. When i create a virtual server for HTTP (any port) from my external ip to any internal web server using HTTP (real server) and also creating the necessary ipv4 policy, it works fine.

 

But, when i try to create a virtual server for HTTPS (any port) or HTTP (any port) from my external ip to my exchange server using HTTPS (real server) and also creating the necessary ipv4 policy, it doesn't work.

 

When trying from a browser the url https://mypublicip or https://mypublicip:port i get the certificate warning of the browser and when i hit continue i am receiving an error for empty response and when i try http://mypublicip or http://mypublicip:port i get connection refused or connection timed out at my browser.

 

Ideally i would like to configure https to https senario. I am a little bit confused about the certificates i have to use.

 

When Microsoft exchange server is installed a sef-signed certificate is created. Is this the certificate i have to use to the firewall also? (export from exchange server and import to firewall??)

 

Any ideas...???

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
23 REPLIES 23
hubertzw
Contributor III

I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:

1) stop SSL full inspection for this flow

2) install Fortinet CA on all computers

3) change Fortinet CA to your CA if you have local certificate authority

orani
Contributor II

hubertzw wrote:

I see you do SSL full inspection with Fortinet CA. There are few options depending on what you try to achieve:

1) stop SSL full inspection for this flow

2) install Fortinet CA on all computers

3) change Fortinet CA to your CA if you have local certificate authority

1. at the ipv4 policy either i have no ssl inspection or i have a profile with fortinet ca cert and ssl cert inspection, and at the virtual server conf either i have full offloading or client<-->fgt, i got the same result.

2. it is impossible to install the certificate to all computers because our mail users use the OWA from their homes also, so it is very difficult to install the cert there. But even if i tried to my laptop i couldn't access the server. Same response.

3. i don't have any other certificate except from the self-signed cert of the microsoft exchange server 

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
hubertzw
Contributor III

When your policy doesn't have any SSL inspection and you see in the logs you are matching that one, you can't see

Fortinet CA certificate. Something must be wrong. Can you verify it?

 

What is your NAT mode? Policy or central NAT?

 

Just in case: for the incoming traffic there is a different SSL profile required - protect server (or something similar, not 'multiple clients to multiple servers').

 

orani

I use policy NAT. Trying to find logs for the specific policy i find this

 

GeneralDate2019/07/12Time12:27:49Duration120sSession ID8003441Virtual DomainrootNAT TranslationSource & DestinationSourceIPmy home public ipNAT IP192.168.1.251 (firewall ip - internal interface)Source Port51562Country/RegionGreeceSource InterfaceVDSL 50 Mbps - Secondary (wan2)User DestinationIPmy public ipNAT IP192.168.1.241Port443Country/RegionGreeceDestination InterfaceInternal (port1)Application ControlApplication Name CategoryunscannedRiskundefinedProtocol6ServiceHTTPSDataReceived Bytes596 BReceived Packets7Sent Bytes513 BSent Packets6ActionActionAccept: session closePolicytest rp (73)Policy UUID3fd56bc2-a2f7-51e9-6327-3e357d61a979Policy TypepolicySecurityLevel CellularServiceHTTPSOtherSub TypeforwardLog event original timestamp1562923669Source Interface RolewanDestination Interface Roleundefined

 

 

I see that the traffic is accepted from the firewall but i get a "session close"

 

I dont have any protect server profile

 

Seeing the logs i understand that the traffic is passing the firewall but why i receive a session close?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
hubertzw
Contributor III

Can you conform the policy ID from the log is the policy you attached?

When you see the certificate warning, what is in the section 'issued by'?

BTW, for the incoming traffic, in most cases, there is no reason to do NAT

orani

Yes policy 73 is the policy i made for this traffic. 

 

Issued by FG200E4Q17904532. Same also when receiving the empty response message.

 

I also tried without nat by the result was the same.

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Dave_Hall
Honored Contributor

Has the admin connection ports for the fgt itself been adjusted? 

 

Something like:

 

config system global set port-http 8080 set port-https 8443 end

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
orani

No. I have the default 80/443. But i tried to change the https port to 1443 and still getting the same error. Also tried to change the incoming port of virtual server and also the same result.

 

Here let me tell that the public ip is not an interface ip but an ip from a 16 static ips range i got from my isp.

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
Dave_Hall
Honored Contributor

orani wrote:

Here let me tell that the public ip is not an interface ip but an ip from a 16 static ips range i got from my isp.

Perhaps a one-to-one IP pool needs to be set up for the reverse direction from the server (private IP) going out.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Labels
Top Kudoed Authors