Written in collaboration with @davidfrazee
In today's cybersecurity threat landscape, organizations face numerous challenges in securing their networks and data. A critical aspect of every organization’s security strategy is ensuring secure and efficient outbound connectivity for users. This is where the Explicit proxy capability, available in network firewalls, emerges as a powerful tool to address these security concerns.
Azure Firewall Explicit proxy feature is now available in Public Preview, and in this blog, we will explore the concept of Explicit proxy, discuss the problems it helps solve when used with Azure Firewall.
Understanding Explicit proxy
Azure Firewall operates in a transparent proxy mode by default. In this mode, traffic is sent to the firewall using a user defined route (UDR) configuration. The firewall intercepts that traffic inline and passes it to the destination.
An explicit proxy acts as an intermediary between client and server. With Explicit proxy enabled on Azure Firewall, client applications (such as a web browser) can point to Azure Firewall for proxy. As a result, HTTP and HTTPS traffic from the client application goes to the firewall's private IP address, is evaluated by the proxy and then a new connection to the destination is initiated by the proxy on behalf of the client/application.
You can manually configure the IP address on the browser application, or you can configure a proxy auto config (PAC) file. The firewall will host the PAC file to serve the proxy requests after you upload it to the firewall.
Key Benefits
The Explicit proxy feature is currently in preview and it brings several benefits to organizations seeking enhanced security:
Enabling Explicit proxy on Azure Firewall
In this blog post we are using the Azure Portal to enable and configure the Explicit proxy feature. Follow the steps below to successfully enable Explicit proxy:
Step 1: Once you are logged into the Azure Portal, select your Azure Firewall Policy, and look for Explicit proxy on the left side menu.
Note: If you are using Azure Firewall Policy to define rule hierarchy, and you want to enable Explicit proxy, make sure it is going to be done at the child policy level. Explicit proxy configured at parent level is not supported.
Step 2: Then you will select “Enable explicit proxy” and define what ports will be used for HTTP and HTTPS.
Note: The HTTP and HTTPS ports can't be the same.
Step 3: In case you want to use the proxy auto configuration (PAC) file, you first must upload the PAC file to a storage account container. A PAC file is a JavaScript-based configuration file used by web browsers to determine the listener on the proxy server to send HTTP and HTTPS traffic to and whether to use a proxy server for specific web requests. The file contains a set of rules that dictate the proxy server to be used for different types of URLs or domains.
For the example used in this blog post we have used a simple proxy.pac file without exclusions or any other complexity.
var http_proxy = "PROXY 10.10.10.132:8080";
var https_proxy = "PROXY 10.10.10.132:8443";
function FindProxyForURL(url, host) {
if (url.startsWith('https:')) {
return https_proxy;
} else {
return http_proxy;
}
}
Step 4: Once you have your proxy.pac file sent to the storage account, you will have to generate a SAS URL from the file.
Note: The SAS URL must have READ permissions so the firewall can download the file from the storage account. If changes are made to the PAC file in the storage account, it is required to do a PUT on the policy for changes to be reflected on the firewalls. Also make sure to have a non-expired SAS URL before doing the PUT on the policy, or the operation will fail.
Step 5: Then, on the Enable explicit proxy page, select “Enable proxy-auto configuration and configure the shared access signature (SAS) URL. Configure the port where the PAC is served from, and then select Apply at the bottom of the page.
Step 6: After enabling Explicit proxy, you must create application rules to allow or deny web requests from the clients using Azure Firewall as a proxy. A network rule won’t work.
In the screenshot below we are using an application rule with Web Categories.
Enabling the client application to use Explicit proxy
Step 1: To configure your client with the Firewall’s private IP you will have to go to the application settings to make the change. In this blog we are demonstrating the configuration for a Windows Server 2022. Go to settings and look for “Change proxy settings”.
Step 2: In the Manual proxy setup you will enable “Use a proxy server” and inform the IP address and port that you have configured on the Firewall for HTTP and HTTPS requests.
Since the ports for HTTP (8080) and HTTPS (8443) traffic are not the same, we are using the following string in the proxy server address:
Step 3: If you chose to use the proxy.pac file, you will have to enable "Use setup script". The configuration will look like this:
Testing Proxy Connections Through Azure Firewall
For testing the Explicit proxy configuration, we are using the Microsoft Edge web browser to connect to https://www.bing.com.
The connection works fine, and in the screenshot below you will see a packet capture taken at client side to show the Azure Firewall’s private IP and the port 8443 as the destination.
Since Explicit proxy relies on Application rules, all the logs will be available at “AZFWApplicationRules” table as shown in the image below:
Notice that “SourcePort” 51544 is the same port seen in the client packet capture.
This way we have evidence that the client is sending web requests to the Firewall as it is configured as an Explicit proxy.
Conclusion
The Explicit proxy feature, available in Azure Firewall, is a valuable tool for enhancing network security. By leveraging this feature, organizations can enforce granular traffic control, implement content filtering policies, and ensure secure outbound access for their users. Azure Firewall provides centralized management, advanced logging, and analytics capabilities, empowering organizations to protect their networks against evolving cyber threats.
Remember, ensuring the security of your organization's network is an ongoing effort, and staying informed about the latest security features is crucial.
Learn More
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.