Fortinet white logo
Fortinet white logo

Administration Guide

Web proxy

Web proxy

If you have a proxy server in your environment, you must configure FortiNAC to direct web traffic to that server when hosts are in isolation. Isolated hosts may need to reach web sites related to their antivirus or operating system to install updates before being allowed on the production network. If the FortiNAC proxy server configuration is not set up, attempts by isolated hosts to reach these web sites will fail.

Browsers configured with a static Proxy Server cannot be reconfigured by FortiNAC. Proxy settings must be dynamic.

FortiNAC cannot integrate with a pre-configured IP address based proxy.

This document describes a method for hosts on the network to learn about and use a proxy server configured by a network administrator. Each host is configured automatically to use the proxy server instead of needing to be configured manually. If any hosts have already been configured to use a specific proxy server, then this feature will not reconfigure the host.

The web proxy feature can be configured to redirect hosts to a proxy server based on the web site requested. This is only for hosts that have Automatic Proxy Detection enabled.

To redirect hosts you must enable the Proxy Auto Config check box and enter the Proxy server information on the Domains tab of the portal configuration view.

If the host requests a web site by IP address, it cannot be redirected to a proxy server. Only requests based on the name or URL of the web site are redirected to a proxy server.

Requirements

• Firmware version 3.x or higher

FortiNAC version 6.0.3 or higher

• Hosts must have automatic proxy detection enabled in the browser.

Configure proxy server integration

  1. Select System > Settings.
  2. Expand the Control folder and click Allowed Domains.
  3. Click in the IP address field and enter the IP address of the production DNS server. Separate multiple IP addresses with a semicolon (;).
  4. Mark the Enable Proxy Auto Config check box with a check mark to enable it.
  5. In the field below the check box enter your proxy server information. More than one server can be entered separated by semi-colons (;). Formats can be as follows:

    • DIRECT: Fetch the object directly from the content HTTP server denoted by its URL bypassing the proxy server. This can be used as a fall back option in the event that the proxy server cannot be reached. It should be placed at the end of the list of servers.
    • PROXY name:port: Fetch the object via the proxy HTTP server at the given location (name and port)
    • SOCKS name:port: Fetch the object via the SOCKS server at the given location (name and port)

    Examples:

    PROXY 10.0.0.1:8080;

    PROXY proxy.example.com:8080

    PROXY proxy.example.com:8080; PROXY 10.0.0.2:8080; DIRECT

  6. Click Save Settings.

This process updates a special domains file on your FortiNAC Server or Application Server. The contents of that file and the contents of the wpad.dat.custom file are used to generate wpad.dat. Proxy auto-detection using wpad.dat is a widely supported mechanism to deliver a Proxy Auto-Config ("PAC") file, and the only mechanism FortiNAC supports. No other configuration is required.

The wpad.dat.custom file is never overwritten and allows you to make customizations for your particular proxy environment. This file can be edited and is incorporated into the wpad.dat file when that file is generated. The wpad.dat.custom file is stored on your FortiNAC Server or Application Server in the following directory:

/bsc/www/portal/ROOT/

Web proxy

Web proxy

If you have a proxy server in your environment, you must configure FortiNAC to direct web traffic to that server when hosts are in isolation. Isolated hosts may need to reach web sites related to their antivirus or operating system to install updates before being allowed on the production network. If the FortiNAC proxy server configuration is not set up, attempts by isolated hosts to reach these web sites will fail.

Browsers configured with a static Proxy Server cannot be reconfigured by FortiNAC. Proxy settings must be dynamic.

FortiNAC cannot integrate with a pre-configured IP address based proxy.

This document describes a method for hosts on the network to learn about and use a proxy server configured by a network administrator. Each host is configured automatically to use the proxy server instead of needing to be configured manually. If any hosts have already been configured to use a specific proxy server, then this feature will not reconfigure the host.

The web proxy feature can be configured to redirect hosts to a proxy server based on the web site requested. This is only for hosts that have Automatic Proxy Detection enabled.

To redirect hosts you must enable the Proxy Auto Config check box and enter the Proxy server information on the Domains tab of the portal configuration view.

If the host requests a web site by IP address, it cannot be redirected to a proxy server. Only requests based on the name or URL of the web site are redirected to a proxy server.

Requirements

• Firmware version 3.x or higher

FortiNAC version 6.0.3 or higher

• Hosts must have automatic proxy detection enabled in the browser.

Configure proxy server integration

  1. Select System > Settings.
  2. Expand the Control folder and click Allowed Domains.
  3. Click in the IP address field and enter the IP address of the production DNS server. Separate multiple IP addresses with a semicolon (;).
  4. Mark the Enable Proxy Auto Config check box with a check mark to enable it.
  5. In the field below the check box enter your proxy server information. More than one server can be entered separated by semi-colons (;). Formats can be as follows:

    • DIRECT: Fetch the object directly from the content HTTP server denoted by its URL bypassing the proxy server. This can be used as a fall back option in the event that the proxy server cannot be reached. It should be placed at the end of the list of servers.
    • PROXY name:port: Fetch the object via the proxy HTTP server at the given location (name and port)
    • SOCKS name:port: Fetch the object via the SOCKS server at the given location (name and port)

    Examples:

    PROXY 10.0.0.1:8080;

    PROXY proxy.example.com:8080

    PROXY proxy.example.com:8080; PROXY 10.0.0.2:8080; DIRECT

  6. Click Save Settings.

This process updates a special domains file on your FortiNAC Server or Application Server. The contents of that file and the contents of the wpad.dat.custom file are used to generate wpad.dat. Proxy auto-detection using wpad.dat is a widely supported mechanism to deliver a Proxy Auto-Config ("PAC") file, and the only mechanism FortiNAC supports. No other configuration is required.

The wpad.dat.custom file is never overwritten and allows you to make customizations for your particular proxy environment. This file can be edited and is incorporated into the wpad.dat file when that file is generated. The wpad.dat.custom file is stored on your FortiNAC Server or Application Server in the following directory:

/bsc/www/portal/ROOT/