Description
This article describes how to configure reverse proxy (SSL offloading) using two different methods.
Solution
Diagram.
This article describes how to configure reverse proxy (SSL offloading) using two different methods.
Solution
Diagram.
FortiGate SSL/TLS offloading is designed for the proliferation of SSL/TLS applications.
The key exchange and encryption/decryption tasks are offloaded to the FortiGate where it is accelerating, using FortiASIC technology which provides significantly more performance than a standard server or load balancer.
This frees up valuable resources on the server farm to give better response to business operations.
Server load balancing offloads most SSL/TLS versions including SSL 3.0, TLS 1.0, and TLS 1.2, and supports full mode or half mode SSL offloading with DH key sizes up to 4096 bits.
FortiGate SSL offloading allows the application payload to be inspected before it reaches the servers.
FortiGate SSL offloading allows the application payload to be inspected before it reaches the servers.
This prevents intrusion attempts, blocks viruses, stops unwanted applications, and prevents data leakage.
SSL/TLS content inspection supports TLS versions 1.0, 1.1, and 1.2 and SSL versions 1.0, 1.1, 1.2, and 3.0
Method 1 - Normal VIP with custom SSL inspection profile.
1) Create a Virtual IP for the web service.
1) Create Server load balance object.
Method 1 - Normal VIP with custom SSL inspection profile.
1) Create a Virtual IP for the web service.
# config firewall vip2) Import the server certificate into FortiGate under System -> Certificate and then define the certificate below.
edit "web"
set extip 10.56.243.162
set extintf "any"
set mappedip "10.101.0.52" <----- Web server internal IP.
next
end
# config firewall ssl-server3) Create a custom deep inspection profile.
edit "websrv"
set ip 10.101.0.52 <----- Web server internal IP.
set ssl-mode half
set ssl-cert "wildcard_lab_com_au"
next
end
# config firewall ssl-ssh-profile4) Create firewall policy with destinated VIP and custom SSL inspection profile.
edit "custom-deep-inspection"
set comment "Customizable deep inspection profile."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
set use-ssl-server enable <----- Ensure to enable this setting.
next
end
# config firewall policyMethod 2 - Server Load balance (SSL-mode half).
edit 2
set srcintf "port10"
set dstintf "port2"
set srcaddr "all"
set dstaddr "web"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set logtraffic all
set webcache enable
set webcache-https enable
set fsso disable
set ssl-ssh-profile "custom-deep-inspection"
set nat enable
next
end
1) Create Server load balance object.
# config firewall vip2) Create new firewall policy with destinated VIP.
edit "Web"
set type server-load-balance
set extip 10.56.243.162
set extintf "any"
set server-type https
set extport 443
config realservers
edit 1
set ip 10.101.0.52 <----- Web server internal IP.
set port 80
next
end
set ssl-certificate "wildcard_lab_com_au"
next
end
# config firewall policy
edit 2
set srcintf "port10"
set dstintf "port2"
set srcaddr "all"
set dstaddr "Web"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set logtraffic all
set webcache enable
set webcache-https enable
set fsso disable
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end
Related Articles
Technical Note: HTTPS/SSL load balance and SSL offloading option missing in GUI
