Skip to main content
solae
solae
Visitor III
February 6, 2024
Solved

Map multiple Website with multiple Domains and Subdomains to multiple Servers (WAF / ZTNA)

  • February 6, 2024
  • 2 replies
  • 3645 views

I try to solve a (maybe) edge case for a customer:

 

The Customer has multiple Website behind a Fortigate which he would like to make public available:

  • web1.domain1.tld
  • web2.domain1.tld
  • web3.domain2.tld

There is only 1 public IP Address. All the Website should be available on Port 443 (HTTPS).

The Websites should be protected by WAF.

 

What I have tried:

I can make the first two Websites (web1, web2) available with "Virtual Servers" and by using a Wildcard (public signed) certificate. Then I used a Firewall Rule with a Web Application Firewall Profile to secure the Servers. But then web3 cannot be added because it is using a different Domain.

 

I also tried it with ZTNA, Proxy Policy and by disabling the Client Certificate requirement by setting "set client-cert disable". This way I was able to publish all of the 3 Domains. But that way i cannot use any protection as Web Application Firewall cannot be used together with ZTNA as far as i know.

Also, i noticed, that when using a HTTPS-Real-Server, that the real certificate of the Server is showing up instead the certificate i selected in the ZTNA-Real-Server assignment.

 

Any suggestion how to solve this case without using a FortiWeb?

 

Regards,

Michael

Best answer by solae

For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.

With that, it is possible to use the Virtual Server and WAF for all Domains.

 

First i didn‘t want to use a Certificate like that, because they are expensive.

I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.

After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).

 

Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.

2 replies

AEK
SuperUser
AEK
SuperUser
February 6, 2024

I tried to do the same.. If you don't use a dedicated WAF, I think your solution with FortiGate is to use a second public IP for web3.

AEK
    solae
    solaeAuthor
    Visitor III
    February 7, 2024

    Thanks AEK. I hoped that there will be some "magic" I had missed, but doesn't seem so.

    solae
    solaeAuthorAnswer
    Visitor III
    February 9, 2024

    For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.

    With that, it is possible to use the Virtual Server and WAF for all Domains.

     

    First i didn‘t want to use a Certificate like that, because they are expensive.

    I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.

    After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).

     

    Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.

      Terms & ConditionsAccessibility statement