New Member

Question

Idiot question - NAT Rule

Forum|Forum|9 years ago
August 17, 2016
2 replies
6354 views

I think I know the answer but here is the daft newbie just wanting someone to say OF COURSE YOU CANT DO THAT

I have 2 internal IIS sites with similar purposes secured with a public cert. The sites provide essentially a file upload mechanism that is used on a mobile phone app we use. Servers are separate (for reasons) and have of course different internal IP addresses. No clever load balancers involved just a simple NAT rule so far.

I have 2 separate domain names with A records pointing at a public IP address that will land on my edge fortigate - again all good.

Except ...

Can I have the 2 different URLs point to the same destination edge NAT IP and somehow the fortigate can send requests that came in via URL-A NAt to InternalServer-A and request in to URL-B NAT and land on InternalServer-B ?

I did that sort of thing in my old world of TMG web publishing but I suspect I cannot really do that here in FortiGate world without using a separate Public IP for each NAT'd internal server?

Any thoughts welcome.

thanks

ede_pfau

SuperUser

OF COURSE YOU CANT DO THAT

hi,

and welcome to the forums.

No, URL rewriting is beyond the features of a FGT. FortiWeb web firewalls will do that, they are the recommended replacement for TMG.

So the easiest way would be to use 2 different public IPs. Or 2 different ports but that'll be difficult for your users I guess.

When you create the VIPs (for destination NAT) make sure you do not use the external public IP elsewhere in the setup, for instance as a secondary IP of wan1. VIPs do (among other things) proxy ARP, they are not only recipes to translate a destination address to another.

emnoc

New Member

Actually you can. It called host headers switching you would need to define for example

www.example1.com ( public_addr x.x.x.x ) -----switch to node1

www.example2.com ( public_addr x.x.x.x ) -----switch to node2

( cfg )

config firewall vip edit "YOUR_SLB_VIP" set type server-load-balance set extip 1.1.1.1 <----single public address set extintf "wan1" set ldb-method http-host config realservers edit 1 set ip 10.0.0.1 set port 80 set http-host "www.example1.com" next edit 2 set ip 10.0.0.2 set port 80 set http-host "www.example2.com" next end next end

Now I'm not 100% sure the above is doable on a FGT90D but you can look at it and see if that works. You would only need a single firewall rule to the vip and ensure that the 2x node are up.

edit to add

in DNS you would have something like this;

www.example1.com. IN A 1.1.1.1

www.example2.com. IN A 1.1.1.1

Ken

New_PersonAuthor

New Member

aha... thanks!

Though I should have mentioned its a HTTPS request in rather than just 80. Have tried your handy tips with Port set at 80 initially and then 443 above but bouncing off an error that prevents it being saved. Node check object fail - attribute server-type must be set. Close. I can feel it but must be missing server-type is that on the RealServer itself

thanks again

emnoc

New Member

On the HTTPS I don't think that's doable unless you had a single UC certificate. You might want to LAB it in a PoC and see what you can do.

In reality you should deploy a SLB ( FTNT , F5LTM, NScitirix , LVS, Kemp, Brocade, etc....) if you need that function and leave the SLB to a ADC appliance imho. Here you can easily manipulate Host-headers switching and SNI

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded