Fortigate - Virtual IP / One public IP for two internal web servers using same 443 ports

hi,

not as far as I know. The feature you are looking for is called "URL routing", and is available in a FortiADC for instance (a reverse proxy). The Fortigate knows how to exchange destination IP address and/or destination port, and that's it. A VIP will not look at a HTTP request to route the traffic to one of two internal webservers - Fortigate VIP is on layer 4, URL routing on layer 7.

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-host-check/ta-p/198274

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.