Fortinet white logo
Fortinet white logo

Implicit web proxy browser extension

Implicit web proxy browser extension

The Chrome browser extension fetches proxy settings from the FortiProxy at regular intervals. The FortiProxy acts as a load balancer, distributing the workload across different proxies. Different extension rules can be configured for different networks, providing enhanced flexibility.

When traffic matches a transparent policy or web proxy with extension detection enabled, it redirects to the portal if the extension is not installed. The extension portal provides installation instructions and proxy setting synchronization.

On the client, the user must download and install the extension from the Chrome web store. The extension synchronizes the proxy settings with FortiProxy. The proxy settings are automatically adjusted based on the load balancing results and the source interfaces.

Implicit proxy detection from policy

When a request hits the policy, it is checked for a header from the extension. If the header is included, the traffic is allowed to pass through. If the header is absent, the extension portal opens with a link to the extension so that it can be installed. If the extension is not installed, then the traffic is blocked.

To enable extension detection:
config firewall policy
    edit 1
        set type {transparent | explicit-web}
        set srcintf “any"
        set dstintf “any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set implicit-proxy-detection enable
        set ssl-ssh-profile "deep-inspection"
    next
end

Captive portal

Users access the portal page either by being redirected or by accessing it directly. The portal, includes a link to download the extension and instructions for installing it. After the extension is installed, it periodically fetches the Proxy auto-config (PAC) from the portal address and port. A proxy rule is selected based on the source interface of the fetching request and a PAC is generated with that rule.

To configure the authentication settings:
config authentication setting
    set active-auth-scheme ''
    set sso-auth-scheme ''
    set captive-portal-type ip
    set captive-portal-ip 10.1.1.1
    set captive-portal-ip6 ::
    set cert-auth disable
    set captive-portal-port 7830
    set auth-https enable
    set captive-portal-ssl-port 7831
    set rewrite-https-port 0
end
To configure interfaces:
config system interface
    edit "port1"
        set ip 172.16.80.158 255.255.255.0
        set proxy-captive-portal enable
    next
    edit "port2"
        set ip 10.2.2.2 255.255.255.0
        set proxy-captive-portal enable
    next
end
To configure implicit proxy settings:
config web-proxy implicit-proxy-setting
    edit 1
        set interface port1
        set implicit-proxy-rule “rule1”
    next
    edit 2
        set interface port2
        set implicit-proxy-rule “rule2”
    next
end

Implicit proxy rule

Each implicit proxy rule includes a list of servers, the load balance method that is used to load balance traffic among the web proxies, and a bypass list that includes the addresses of servers that do not need to be proxied.

Based on each implicit proxy rule, FortiProxy generates a PAC for proxy settings, and responds with the PAC when a user's extension requests the PAC from the extension portal.

To configure an implicit proxy rule:
config web-proxy implicit-proxy-rule
    edit "1"
        set load-balance-method round-robin
        set bypass-list "gmail.com" "login.microsoft.com"
        config proxy-servers
            edit 1
                set ip 10.1.99.1
                set port 8080
            next
            edit 2
                set ip 10.1.99.2
                set port 8080
            next
            edit 3
                set ip 10.1.99.3
                set port 8080
            next
        end
    next
end

Implicit web proxy browser extension

Implicit web proxy browser extension

The Chrome browser extension fetches proxy settings from the FortiProxy at regular intervals. The FortiProxy acts as a load balancer, distributing the workload across different proxies. Different extension rules can be configured for different networks, providing enhanced flexibility.

When traffic matches a transparent policy or web proxy with extension detection enabled, it redirects to the portal if the extension is not installed. The extension portal provides installation instructions and proxy setting synchronization.

On the client, the user must download and install the extension from the Chrome web store. The extension synchronizes the proxy settings with FortiProxy. The proxy settings are automatically adjusted based on the load balancing results and the source interfaces.

Implicit proxy detection from policy

When a request hits the policy, it is checked for a header from the extension. If the header is included, the traffic is allowed to pass through. If the header is absent, the extension portal opens with a link to the extension so that it can be installed. If the extension is not installed, then the traffic is blocked.

To enable extension detection:
config firewall policy
    edit 1
        set type {transparent | explicit-web}
        set srcintf “any"
        set dstintf “any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set implicit-proxy-detection enable
        set ssl-ssh-profile "deep-inspection"
    next
end

Captive portal

Users access the portal page either by being redirected or by accessing it directly. The portal, includes a link to download the extension and instructions for installing it. After the extension is installed, it periodically fetches the Proxy auto-config (PAC) from the portal address and port. A proxy rule is selected based on the source interface of the fetching request and a PAC is generated with that rule.

To configure the authentication settings:
config authentication setting
    set active-auth-scheme ''
    set sso-auth-scheme ''
    set captive-portal-type ip
    set captive-portal-ip 10.1.1.1
    set captive-portal-ip6 ::
    set cert-auth disable
    set captive-portal-port 7830
    set auth-https enable
    set captive-portal-ssl-port 7831
    set rewrite-https-port 0
end
To configure interfaces:
config system interface
    edit "port1"
        set ip 172.16.80.158 255.255.255.0
        set proxy-captive-portal enable
    next
    edit "port2"
        set ip 10.2.2.2 255.255.255.0
        set proxy-captive-portal enable
    next
end
To configure implicit proxy settings:
config web-proxy implicit-proxy-setting
    edit 1
        set interface port1
        set implicit-proxy-rule “rule1”
    next
    edit 2
        set interface port2
        set implicit-proxy-rule “rule2”
    next
end

Implicit proxy rule

Each implicit proxy rule includes a list of servers, the load balance method that is used to load balance traffic among the web proxies, and a bypass list that includes the addresses of servers that do not need to be proxied.

Based on each implicit proxy rule, FortiProxy generates a PAC for proxy settings, and responds with the PAC when a user's extension requests the PAC from the extension portal.

To configure an implicit proxy rule:
config web-proxy implicit-proxy-rule
    edit "1"
        set load-balance-method round-robin
        set bypass-list "gmail.com" "login.microsoft.com"
        config proxy-servers
            edit 1
                set ip 10.1.99.1
                set port 8080
            next
            edit 2
                set ip 10.1.99.2
                set port 8080
            next
            edit 3
                set ip 10.1.99.3
                set port 8080
            next
        end
    next
end