PaperCut web interface, Network Topology, FortiGate, & Reverse Proxy?

We have recently undergone a network topology change and reduction of onsite equipment and infrastructure. What we have in place now:

  • HPE switching: all L2, as most L3 is handed off to the Fortigates
  • Fortigate: handles DHCP, some VLAN’s DNS, firewall, and L3 routing duties (for all VLAN’s). At our largest campus this is a 100E unit, at our other two campuses it’s 30E’s. Site to Site VPN is configured between sites. We have a consistent VLAN and subnetting strategy (10.campus.vlid.client in /24’s for ‘private’, and each campus has a 172.16.x.x/22 for guest)
  • PBX: only at the main site. SIP phones at other sites use the site-to-site vpn
  • Print Server: Each campus has a print server (Windows server 2019) that also runs the appropriate PaperCut roles: Print Provider & Mobility Print Server. The smaller campuses are ‘site servers’ in PaperCut terminology. The largest campus handles Appplication Server responsibilities and Web Print server responsibilities also
  • Azure: There is a site-site VPN between the fortigate(s) and azure. It’s architected by our IT Services MSP.
  • NVR server: Blue Iris for security cameras (all at the main campus)
  • 87% of clients are ChromeOS, 12% are MacOS (MDM managed), and 1% are Windows (AzureAD + Intune managed)

Challenge I’m thinking through:

  • We’re not running significant DNS server structures internally. What the fortigate is capable of is all we have (or really want at this point)
  • I have some systems I trust (such as the PBX) to use standard port forwarding and NAT for providing access to the system when someone is offsite
  • I would prefer that access to the PaperCut user portal “just works”. However, that (realistically) means exposing it in some way, shape or form externally.
  • I’m not sure I trust the security of the PaperCut MF system as much as I would Fortigate/Windows/PBX. I believe it runs some version of java for it’s web server, but it only gets updated after our copiers are certified (which sometimes takes a long time.
  • Is something like a basic reverse proxy an easy way to expose services (such as PaperCut MF) while not taking stupid risks? My googling says that Fortigates can often do this for you to a certain extent.
  • Other suggestions on how to enable access for the PaperCut portal, but not make unnecessary security risks?
  • I wouldn’t mind having a ‘better security’ solution I can throw in front of things that need some kind of external accessibility but are out of the norm (like PaperCut and the NVR server)
  • We’re trying to do as many things as we can that are ZeroTrust/BeyondCorp style (reasonably)

So, this is a relatively complicated answer but here goes…

A reverse proxy will protect you from *protocol *level attacks - things
like double headers, syn floods, etc. A web application firewall (WAF) will
protect you from application level attacks (like struts vulnerabilities,
SQL Injection, etc.). There are good WAFs and cheap WAFs, and never shall
the two meet. Your FortiGate does have a basic WAF available (
Cookbook | FortiGate / FortiOS 5.4.0 | Fortinet Documentation Library) but for
TLS protected applications I found configuring it to be quite difficult
(this config will need to be stacked with a reverse proxy load balancing
configuration with TLS Offload so the Fortigate can see the clear-text
version of the traffic)
SSL/TLS offloading

There are plenty of other vendors out there, but without a pretty
significant (time and money) investment it’s probably unlikely you’ll get
better protection. That said, at the end of the day you do have to decide
“do I trust this application enough to be Internet facing?” Security tools
exist to mitigate risk, but they don’t eliminate it.

1 Like

Since you mention Azure - have you looked at the Azure App Proxy? Relatively lightweight, stupid simple service you install internally on some Windows device and then it can reverse proxy to other systems. No port forwarding/NAT/etc required at all. Magic. You can even load your SSL cert up in Azure and secure the entire path.

1 Like

I’ll read up on this option. We don’t use AzureAD or talk about MS auth with our users, so I would have to figure the identity part out. Thanks!

Thanks. This gives me some more language and understanding of what I need to be discussing with my MSP.

Thanks for the info. What is on my short list (in alphabetical order):

  • Azure Active Directory Application Proxy
    • I think this will require all users to exist in AzureAD
    • Is a ‘bridge’ of sorts between on-prem and cloud-first
    • Don’t know if it fits a zero-trust/BeyondCorp style model, but it may
    • Does seem to be an ‘identity aware’ option
    • Ability to scale to other applications
  • Cloudflare Web Application Firewall
    • Requires DNS moving to Cloudflare
    • Minimal infrastructure or none on my part
    • No prior experience with this
    • I don’t think it’s an ‘identity aware’ system (not sure yet)
    • Not expensive (not per-user cost), but it’s “all or nothing” for a DNS domain/zone?
    • Once setup, easy to scale to other applications
  • Google Cloud Identity-Aware Proxy
    • Integrates tightly with Google products (we use GSuite)
    • Connecting to On-Prem looks to require some effort
    • May not have an ongoing per-user cost? (Maybe a VPN cost?)
    • In typical Google Cloud fashion, “some assembly required”
    • Very extensible, scaling to other applications
  • Pre-Existing (not implemented) Fortigate capabilities
    docs/howto & SSL/TLS offloading
    • Not as robust as some other options?
    • Uses existing tools
    • Not familiar w/ scale, etc. for other applications
  • Standard port-forwarding/NAT/firewall topology, exposing the Papercut server (or other systems) to the general web
    • Definitely not as robust as other options (not ‘identity aware’)
    • Existing knowledge, fast to setup (we already do this for a couple things)
    • Exposure/security risk is higher?

I have definitely been intrigued by a zero-trust/BeyondCorp style model (which some of these are closer to than others). But at the same time I question what risk is there in exposing via traditional NAT? How much effort is involved in building and maintaining that lower risk model of the zero-trust/BeyondCorp model?

Identity Aware Proxies are definitely “the way of the future” for apps that
aren’t built for Internet-direct connectivity. To add to your list,
Cloudflare does have a hosted IAP product called “Access” at $5 /user/month.

There are also on-premise IAP products available in both the commercial and
open source realms like Pritunl Zero and BIG-IP

Oh, also Cloudflare’s WAF is an additional fee above and beyond the basic
free product, I think it’s $20 /domain/month for a basic level of
protection and more fine-grained protection goes up from there - although
the protection never really gets very granular.