publish web server

hello guido and welcome,

I' ve added several Wan IP address on the wan1 interface.

you don' t need to do that; Define your wan by choosing one from your public ips You can use another IP for your webserver (or the same one if you wish) This article can help you: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11765&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=21326709&stateId=0%200%2021328487 Also check: webserver' s default gateway, does it points to DMZ IP ? good luck

hi Abel, many thanks for your quick reply. I' ve temporary resolved in this way: 1) I' ve created a VIP -static nat -source ip: one public ip - dest ip: ip address of the internal server 2) I' ve created a Policy Source Wan1 all destination VirtualIp (that I' ve created) it works now but I know that I' ve only workrounded the problem. In fact I use one public ip for every service (it is not right) in fact the final configuration I want to reach is simple, but i don' t know if it is possible with FGT. I' ve worked 10 years with Microsoft system, I am a MCSE and now ... with this appliance I feel like a rookie :) in a few words: I have 5 servers and 1 Blade Server (with 5 virtualized servers) each server hosts several services (web, mail, app, and so on) each server have an unique IP address (internal and private (192.168.x.x)) our dsl have 32 ip address. the questions are summarized with this two scenario: a) is possible to nat ONE public ip address (configured onto the WAN1 interface) to many private IP? b) even if one server host several web site of different customers, is possible to reach these web site using only one public IP? example: a) i have 3 domain registered onto my dns server: domain-1.com domain-2.com domain-3.com the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100 the websites of the 3 domains are on different webserver with a unique ip (DMZ1): 192.168.0.200/201/202 the FTG will be able to catch the request (www.domain-X.com) and redirect it to the right IP b) i have 2 domain registered onto my dns server: domain-1.com domain-2.com the websites of these two domain are on the same server with IP (DMZ1): 192.168.0.99 the DNS server map each domain on one and same public ip (WAN1): 2.10.10.100 the FTG will be able to catch the request (www.domain-X.com) and redirect it to the server passing the domain request obviously every network card of the servers are configured with the correct GW. many many thanks guido

Hi all. thanks for your replies, but unfortunately something is went wrong. I' ve tried to follow your suggestion using only one public ip. but I can' t reach the services inside the private lan. in a few word I' ve tried to: scenario. a) public address 2.10.10.100 b) one server with IIS and mail server (two ip configured (192.168.0.55 / 56) c) IIS hosts 2 site and are published on one ip (192.168.0.55) d) pop3 and smtp are published on the same ip 192.168.0.56 tryin to create 2 vips with the same external ip source FTG give me an error of duplicate name. so I' ve crate 1 vip configuring on it a range (192.168.0.55 - 192.168.0.56) called " test" after I' ve created 2 policy 1st: -source Int: Wan1 -source Add: all -Dest Int: internal -Dest. Add: VIP " test" -sched: always -service http -NAT anc FIXED PORT DEselected 2nd -source Int: Wan1 -source Add: all -Dest Int: internal -Dest. Add: VIP " test" -sched: always -service Multiple (SMTP - POP3) -NAT selected anc FIXED PORT DEselected ....it not work. where is my error? thanks. Guido

Actually, a VIP always does NAT - it exchanges the destination address of packets. Whether you enable NAT on the policy or not doesn' t matter in reaching an internal server from outside. Checking NAT in the policy where you use the VIP would translate the source IP of traffic across the policy as well; which sometimes is desireable and sometimes isn' t. For port forwarding VIPs only (as in ' contrary to non-forwarding VIPs' ), you need to check NAT for traffic from the private server to the internet. Otherwise, their private IP wouldn' t be routed anywhere. This is different for non-forwarding VIPs. Define multiple VIPs with the same external and internal IPs BUT check ' Port Forwarding' in each. SMTP is TCP/25, web is TCP/80 etc. Use these port specific VIPs in one or more policies - if you have one policy per service you can configure your UTM measures specifically. Please read the VIP chapter in the FortiOS Handbook for your FortiOS version, available for download from http://docs.fortinet.com . This will give you a reference for the options and some examples.

ok, thanks!!

so, if I well understand, i can' t publish several web sites (that reside on one phisical server) with only one public IP address. is it correct? thx

hmm this is a problem. I have two web server on my dmz: e.g. www1 192.168.0.1 with 5 website www2 192.168.0.2 with 10 website if I want to use only one public ip address I have to change the wwww port on the servers?

Thank you, thors_hammer it works! great! now I' m able to use only one ext IP to serve several website. I have had this problem because I' ve installed Parallel Platform. It generate several websites (and other services) on the same machine (even if it is a virtualized platform) and on a single IP (I can use multiple IP if I need). last question: may I use only one policy (e.g. www instead of www1 and www2) using a pool of ip instead a single IP? it will work?

Having lots of Websites on one host (and one IP) is pretty usual nowadays. On my server are currently running more than 50 Domains. If you have 2 hosts you need two VIPs and therefore 2 policys (you can only choose one vip per policy). Just be sure the DNS resovles the domains to the correct ip. (10 domains for Host 1 5 domains for host 2) If don' t do port forwarding but static nat you can also access ssh, mail aso on each host without doing more and more port forwarding vips. I' d handle it without port forwarding of specific ports if you have enough IPs. What can be a problem is if you are having multiple ssl enabled sites on a hosts, as a certificate is exchanged before the hostname is transferred. There is a Technique called SNI (http://en.wikipedia.org/wiki/Server_Name_Indication) but this is not support in all server software/ all browsers.