Help
FortiADC
FortiADC enhances the scalability, performance, and security of your applications whether they are hosted on premises or in the cloud.
kmak
Staff
Staff

Created on ‎08-04-2025 02:25 AM

Article Id 404834

Technical Tip: How to troubleshoot and fix the possible issues when setting up FortiADC Layer-7 HTTPS Server Load Balance Virtual Server with ADFS as the target real server pool

Description This article describes the possible issues when setting up FortiADC Layer-7 HTTPS Server Load Balance Virtual Server with ADFS as the target real server pool.
Scope FortiADC.
Solution

Pre-requisite:

  • Layer-7 HTTPS SLB Virtual Server with ADFS as the target real server pool.
  • A standard Layer-7 HTTPS Application profile and client-SSL profile are configured for the proxy frontend.
  • A valid SSL certificate is installed for the ADFS FQDN hostname.

 

Troubleshoot Error 1:

  1. The Layer-7 HTTPS SLB Virtual Server of the ADFS page is displaying the 503 Error return code. The error page shown originated from the real server instead of FortiADC.

 

kmak_0-1754297488623.jpeg

 

  1. Enable traffic-log setting for the Layer-7 Virtual Server. Check the L7-HTTP log in FortiADC to verify the error messages.

 

kmak_1-1754297488636.jpeg

 

Solution:

The ADFS page uses HTTPS protocol, which the error page is due to the real server pool configured with Port 80 (HTTP Protocol).

 

kmak_2-1754297488643.jpeg

 

Troubleshoot Error 2:

  1. The ADFS page shows the error 'ERR_EMPTY_RESPONSE'.

 

kmak_3-1754297488645.jpeg

 

  1. The traffic log shows the 'unknown' return code and zero ‘0’ sent Bytes.

 

kmak_4-1754297488654.jpeg

 

  1. The error is due to the ADFS real server pool configuration using port ‘443’, but no real server SSL profile is enabled.

 

kmak_5-1754297488660.jpeg

 

Solution:

Select a real server SSL profile for the real server pool.

 

kmak_6-1754297488666.jpeg

 

Troubleshoot Error 3:

  1. The ADFS real server pool is configured to port ‘443’ with a real server SSL profile, but the FortiADC SLB Virtual Server frontend is still displaying a 503 error return code.

 

kmak_7-1754297488667.jpeg

 

  1. The traffic log shows that the HTTPS request translated correctly to the ADFS real server port 443. There are sent Bytes and received Bytes recorded in the FortiADC.

     

kmak_8-1754297488677.jpeg

 

  1. Taking the packet capture in FortiADC to capture the packet transmission between FortiADC and the ADFS server. It shows that the ADFS server sent an RST (RST, ACK) packet after “CLIENT HELLO” from FortiADC.

 

kmak_9-1754297488693.jpeg

 

Solution:

  • The ADFS requires the SNI header to be presented in the SSL handshake. Enable the 'SNI Forward Flag' option in the real server SSL profile.

 

kmak_10-1754297488699.jpeg

 

kmak_11-1754297488710.jpeg

 

  • Run the packet capture again, and the request should contain the SNI header now. And the ADFS real server no longer sends RST packets, but it is replying to SSL/TLS handshake packets.

 

kmak_12-1754297488729.jpeg

 

  • The ADFS page is showing fine now, proxy through FortiADC SLB Virtual Server.

 

kmak_13-1754297488733.jpeg

 

Related document:

Configuring real server SSL profiles
Labels:
97
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.