Fortinet black logo

Administration Guide

Explicit proxy authentication over HTTPS

Explicit proxy authentication over HTTPS

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.

Example

A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user credentials are encrypted and transmitted over HTTPS.

In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy policy.

To configure explicit proxy authentication over HTTPS:
  1. Configure the authentication settings:

    config authentication setting
        set captive-portal-type fqdn   
        set captive-portal "fgt-cp"    
        set auth-https enable          
    end
  2. Configure the authentication scheme:

    config authentication scheme
        edit "form"
            set method form
            set user-database "local-user-db"
        next
    end
  3. Configure the authentication rule:

    config authentication rule
        edit "form"
            set srcaddr "all"
            set active-auth-method "form"
        next
    end
    Note

    If a session-based basic authentication method is used, enable web-auth-cookie.

  4. Configure the firewall address:

    config firewall address
        edit "fgt-cp"
            set type fqdn
            set fqdn "fgt.fortinetqa.local"
        next
    end
  5. Configure the interface:

    config system interface
        edit "port10"
            set ip 10.1.100.1 255.255.255.0  
            set explicit-web-proxy enable
            set proxy-captive-portal enable  
        next
    end
  6. Configure a firewall proxy policy with users or groups (see Explicit web proxy).

Verification

When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For example, the client could be redirected to a URL by a HTTP 303 message similar to the following:

HTTP/1.1 303 See Other

Connection: close

Content-Type: text/html

Cache-Control: no-cache

Location: https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri=Lw==&

Content-Length: 0

The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.

Explicit proxy authentication over HTTPS

When a HTTP request requires authentication in an explicit proxy, the authentication can be redirected to a secure HTTPS captive portal. Once authentication is complete, the client can be redirected back to the original destination over HTTP.

Example

A user visits a website via HTTP through the explicit web proxy on a FortiGate. The user is required to authenticate by either basic or form IP-based authentication for the explicit web proxy service. The user credentials need to be transmitted over the networks in a secured method over HTTPS rather than in plain text. The user credentials are protected by redirecting the client to a captive portal of the FortiGate over HTTPS for authentication where the user credentials are encrypted and transmitted over HTTPS.

In this example, explicit proxy authentication over HTTPS is configured with form IP-based authentication. Once configured, you can enable authorization for an explicit web proxy by configuring users or groups in the firewall proxy policy.

To configure explicit proxy authentication over HTTPS:
  1. Configure the authentication settings:

    config authentication setting
        set captive-portal-type fqdn   
        set captive-portal "fgt-cp"    
        set auth-https enable          
    end
  2. Configure the authentication scheme:

    config authentication scheme
        edit "form"
            set method form
            set user-database "local-user-db"
        next
    end
  3. Configure the authentication rule:

    config authentication rule
        edit "form"
            set srcaddr "all"
            set active-auth-method "form"
        next
    end
    Note

    If a session-based basic authentication method is used, enable web-auth-cookie.

  4. Configure the firewall address:

    config firewall address
        edit "fgt-cp"
            set type fqdn
            set fqdn "fgt.fortinetqa.local"
        next
    end
  5. Configure the interface:

    config system interface
        edit "port10"
            set ip 10.1.100.1 255.255.255.0  
            set explicit-web-proxy enable
            set proxy-captive-portal enable  
        next
    end
  6. Configure a firewall proxy policy with users or groups (see Explicit web proxy).

Verification

When a client visits a HTTP website, the client will be redirected to the captive portal for authentication by HTTPS. For example, the client could be redirected to a URL by a HTTP 303 message similar to the following:

HTTP/1.1 303 See Other

Connection: close

Content-Type: text/html

Cache-Control: no-cache

Location: https://fgt.fortinetqa.local:7831/XX/YY/ZZ/cpauth?scheme=http&4Tmthd=0&host=172.16.200.46&port=80&rule=75&uri=Lw==&

Content-Length: 0

The captive portal URL used for authentication is https://fgt.fortinetqa.local:7831/.... Once the authentication is complete with all user credentials protected by HTTPS, the client is redirected to the original HTTP website they intended to visit.