Redirect HTTP Requests coming from the WAN to diferent webservers based on domain name

Question

Hello, I am trying to redirect the traffic coming from the WAN to a specific machine based on the domain name that a user types as a URL. This is somewhat tough to explain properly since this is my first time doing it so I will try to provide a detailed example.

The FortiGate Firmware version is 6.4.7.

I have 2 different servers in the same network that run as webservers, one machine has a 192.168.1.10/32 address and the other one 192.168.1.11/32. I have a DNS hosting were I can create several alias registries pointing to the public IP address that is set on the WAN.

The main plan is the following.

I created an entry in the DNS that points machineA.mydomain.com to the public IP address set on the WAN and I I created a Virtual IP that redirects this request directly to the webserver at 192.168.1.10/32. This one worked flawlessly since it was done directly though port forwarding.

The problem comes when I try to add a second registry that points to the same public IP address on the WAN but in this case the alias is machineB.mydomain.com and the machine is 192.168.1.11/32. I have no clue how to redirect such request to a different machine since port forwarding is not an option because both machines use the same ports (or am I wrong in this statement?)

I have come across diferent ideas but I don't know if they are possible solutions and I do not know how to apply them.

1.1. Fortigate DNS Server. I was wondering if I could create a NS entry in my DNS hosting to redirect all the request from mydomain.com including all subdomains to the Fortigate DNS server through the public IP address set on the WAN. Then I believe I can enable what it's referred as "DNS Database table" in the Fortigate and create my own entries.

1.2. Moving such machines to the DMZ. I have been working with Fortigates for the last couple of years and I have yet to try the DMZ. Is it a viable option? I am personally more familiar with the DNS server option mentioned before.

I have seen different post written in here but it was to no avail. Hopefully I am on the right track for this and things can get sorted. If there is a proper post already with this issue fixed I apologize beforehand for opening this post and please add a link of such post.

Feel free to ask for more details, I feel like there's information lacking somehere I have yet to know.

Thank you in advance.

Debbie_FTNT · Accepted Answer

Hey Aitor,

have a look at this thread: https://community.fortinet.com/t5/Fortinet-Forum/Virtual-server-with-real-servers-on-different-subnets-interfaces/td-p/208114

Especially the OP's initial comment and configuration snippets.

From your description, it sounds as if you want one VIP and direct to different real servers based on the URL that is used to access the VIP, correct?

It sounds as if a load-balancing VIP and using the 'http-host' parameter is what you're looking for. Do note that the policy/VDOM/FortiGate (depending on firmware version) may need to be in proxy-mode for this option to become available, and you may need to enable the 'Load Balance' option under System > Feature Visibility to make 'Virtual Server' accessible under Firewall Objects.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded