Configuring Explicit Webproxy with FSSO on FortiGate 5.2

This describes how to enable explicit webproxy on the FortiGate and enable authentication.

1. Enable Explicit Webproxy on the Student and WAN1 interfaces:

This can be enabled in the GUI by System > Network > Interface: tick 'Enable Explicit Web Proxy' or by the following CLI commands:

# config system interface
# edit <port>
# set explicit-web-proxy enable

2. Enable HTTP/HTTPS with port 8080 and make sure that the Explicit Web Proxy correctly listens on the interface:

Using the GUI go to System > Network > Explicit Proxy > Explicit Web Proxy Options: enable 'HTTP/HTTPS' with 'HTTP Port' set to 8080

Or by using the CLI commands:

# config web-proxy explicit
# set status enable

3. Configure the Explicit Proxy Policy:

In the GUI go to Policy & Objects > Explicit proxy: create 'new' and set Explicit Proxy Type to 'Web'. Set the Action to “Authenticate” (in order enable the user-identity based part).

Set the 'User Authentication Options' for FSSO and NTLM (in order to enable transparent authentication) and configure the (FSSO) user group(s) in the policy. Currently the user group is “Student Internet”.

Or by using the CLI commands

# config firewall explicit-proxy-policy
# edit <policy>
# set proxy web
# set service “webproxy”
# set action accept
# set identity-based enable
# set ip-based enable
# set active-auth-method ntlm
# set sso-auth-method fsso
# config identity-based-policy
# edit 1
# set groups <FSSO_User_Group>

A proxy profile must be created and pushed to the iPads via AirWatch. The server IP should be the external IP of the firewall.

In case you want to enable active, session-based, authentication, set the policy's 'User Authentication Options' as Single Sign-On Method = 'None' instead of 'FSSO'. When the user will browse some resources, they will be prompted for domain credentials.

In order to double-check that the Explicit Webproxy works (especially in case of transparent authentication), check on the FortiGate GUI using User & Device > Monitor > Firewall. After ticking 'Show all FSSO logons', the user will shows up as Explicit Proxy/FSSO user.

  • fortinet/fortigate_proxy_config.txt
  • Last modified: 2019/03/15 18:07
  • by ericclaus