Demystifying Explicit proxy: Enhancing Security with Azure Firewall
Published Jul 13 2023 07:03 AM 11.4K Views
Microsoft

Written in collaboration with @davidfrazee 

 

In today's cybersecurity threat landscape, organizations face numerous challenges in securing their networks and data. A critical aspect of every organization’s security strategy is ensuring secure and efficient outbound connectivity for users. This is where the Explicit proxy capability, available in network firewalls, emerges as a powerful tool to address these security concerns.

 

Azure Firewall Explicit proxy feature is now available in Public Preview, and in this blog, we will explore the concept of Explicit proxy, discuss the problems it helps solve when used with Azure Firewall.

 

Understanding Explicit proxy

 

Azure Firewall operates in a transparent proxy mode by default. In this mode, traffic is sent to the firewall using a user defined route (UDR) configuration. The firewall intercepts that traffic inline and passes it to the destination.

 

An explicit proxy acts as an intermediary between client and server. With Explicit proxy enabled on Azure Firewall, client applications (such as a web browser) can point to Azure Firewall for proxy. As a result, HTTP and HTTPS traffic from the client application goes to the firewall's private IP address, is evaluated by the proxy and then a new connection to the destination is initiated by the proxy on behalf of the client/application.

 

You can manually configure the IP address on the browser application, or you can configure a proxy auto config (PAC) file. The firewall will host the PAC file to serve the proxy requests after you upload it to the firewall.

 

Key Benefits

 

The Explicit proxy feature is currently in preview and it brings several benefits to organizations seeking enhanced security:

 

  1. Granular Traffic Control: By leveraging an Explicit proxy, organizations can enforce fine-grained policies to filter and inspect outbound traffic without using UDRs to change the routes to send the traffic to the firewall. This enables them to block malicious websites, prevent unauthorized downloads, and mitigate the risks associated with malware and other threats, helping safeguard networks against various cyber threats.
  2. Centralized Management: Azure Firewall's Explicit proxy allows for centralized policy management and configuration. This simplifies the administration of access controls across multiple Azure Virtual Networks (VNets), improving operational efficiency.
  3. Logging and Analytics: Azure Firewall provides advanced logging and analytics capabilities through Azure Monitor and Azure Firewall Diagnostic logs. Organizations can gain insights into network traffic patterns, perform detailed analysis, and detect potential security incidents.

 

Enabling Explicit proxy on Azure Firewall

 

In this blog post we are using the Azure Portal to enable and configure the Explicit proxy feature. Follow the steps below to successfully enable Explicit proxy:

 

Step 1: Once you are logged into the Azure Portal, select your Azure Firewall Policy, and look for Explicit proxy on the left side menu.

 

gusmodena_0-1689255661226.png

 

Note: If you are using Azure Firewall Policy to define rule hierarchy, and you want to enable Explicit proxy, make sure it is going to be done at the child policy level. Explicit proxy configured at parent level is not supported.

 

Step 2: Then you will select “Enable explicit proxy” and define what ports will be used for HTTP and HTTPS.

 

Note: The HTTP and HTTPS ports can't be the same.

 

gusmodena_1-1689255703796.png

 

Step 3: In case you want to use the proxy auto configuration (PAC) file, you first must upload the PAC file to a storage account container. A PAC file is a JavaScript-based configuration file used by web browsers to determine the listener on the proxy server to send HTTP and HTTPS traffic to and whether to use a proxy server for specific web requests. The file contains a set of rules that dictate the proxy server to be used for different types of URLs or domains.

 

For the example used in this blog post we have used a simple proxy.pac file without exclusions or any other complexity.

 

var http_proxy = "PROXY 10.10.10.132:8080";
var https_proxy = "PROXY 10.10.10.132:8443";

function FindProxyForURL(url, host) {
  if (url.startsWith('https:')) {
    return https_proxy;
  } else {
  return http_proxy;
  }
}

 

Step 4: Once you have your proxy.pac file sent to the storage account, you will have to generate a SAS URL from the file.

 

gusmodena_2-1689255843609.png

 

Note: The SAS URL must have READ permissions so the firewall can download the file from the storage account. If changes are made to the PAC file in the storage account, it is required to do a PUT on the policy for changes to be reflected on the firewalls. Also make sure to have a non-expired SAS URL before doing the PUT on the policy, or the operation will fail.

 

Step 5: Then, on the Enable explicit proxy page, select “Enable proxy-auto configuration and configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select Apply at the bottom of the page.

 

gusmodena_3-1689255909371.png

 

Step 6: After enabling Explicit proxy, you must create application rules to allow or deny web requests from the clients using Azure Firewall as a proxy. A network rule won’t work.

 

In the screenshot below we are using an application rule with Web Categories.

 

gusmodena_4-1689255966259.png

 

Enabling the client application to use Explicit proxy

 

Step 1: To configure your client with the Firewall’s private IP you will have to go to the application settings to make the change. In this blog we are demonstrating the configuration for a Windows Server 2022. Go to settings and look for “Change proxy settings”.

 

gusmodena_5-1689256078394.png

 

Step 2: In the Manual proxy setup you will enable “Use a proxy server” and inform the IP address and port that you have configured on the Firewall for HTTP and HTTPS requests.

 

gusmodena_2-1689299195811.png

 

Since the ports for HTTP (8080) and HTTPS (8443) traffic are not the same, we are using the following string in the proxy server address:

 

  • http=10.10.10.132:8080;https=10.10.10.132:8443

 

Step 3: If you chose to use the proxy.pac file, you will have to enable "Use setup script". The configuration will look like this:

 

gusmodena_7-1689256233903.png

 

Testing Proxy Connections Through Azure Firewall

 

For testing the Explicit proxy configuration, we are using the Microsoft Edge web browser to connect to https://www.bing.com.

 

The connection works fine, and in the screenshot below you will see a packet capture taken at client side to show the Azure Firewall’s private IP and the port 8443 as the destination.

 

gusmodena_8-1689256284853.png

 

Since Explicit proxy relies on Application rules, all the logs will be available at “AZFWApplicationRules” table as shown in the image below:

 

gusmodena_9-1689256311241.png

 

Notice that “SourcePort” 51544 is the same port seen in the client packet capture.

 

This way we have evidence that the client is sending web requests to the Firewall as it is configured as an Explicit proxy.

 

Conclusion

 

The Explicit proxy feature, available in Azure Firewall, is a valuable tool for enhancing network security. By leveraging this feature, organizations can enforce granular traffic control, implement content filtering policies, and ensure secure outbound access for their users. Azure Firewall provides centralized management, advanced logging, and analytics capabilities, empowering organizations to protect their networks against evolving cyber threats.

 

Remember, ensuring the security of your organization's network is an ongoing effort, and staying informed about the latest security features is crucial.

 

Learn More

 

Version history
Last update:
‎Jul 27 2023 08:33 AM
Updated by: