Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danfor443
New Contributor

How to use Virtual IP config

Hello Everyone

 

if i need my exchange-OWA accessable from Outside i need to create a Virtual IP.

eg my public IP is 123.123.123.123 and my internal Exchange IP is 192.168.1.1

 

So i want that 123.123.123.123 Port 443 maps to 192.168.1.1 Port 443.

 

And here is my question:

As far as i can see i have to possibilities to reach my goal.

 

*********************************************

Possibility 1) on VIP i configure

External IP Address/Range: 123.123.123.123

Mapped IP Address/Range: 192.168.1.1

 

On Port Forwarding i configure

External Service Port: 443

Map to Port: 443

*********************************************

 

 

 

*********************************************

Possibility 2) on VIP i configure

External IP Address/Range: 123.123.123.123

Mapped IP Address/Range: 192.168.1.1

And under "Optional Filters" i configure a Service like "HTTPS".

*********************************************

 

 

Both possibilities work.

Buth i guess there is something i don't understand?

 

Can you help me?

 

Best Regards,

Danfor

1 Solution
ede_pfau
Esteemed Contributor III

The filter is for narrowing down the allowed incoming traffic. A filter will not redirect traffic to other ports, but a port forwarding will.

Sometimes, it is easier to allow some service and use a non-portforwarding VIP, than to configure several pVIPs.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

4 REPLIES 4
ede_pfau
Esteemed Contributor III

The filter is for narrowing down the allowed incoming traffic. A filter will not redirect traffic to other ports, but a port forwarding will.

Sometimes, it is easier to allow some service and use a non-portforwarding VIP, than to configure several pVIPs.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
danfor443

Hi Ede,

 

Aha! Nice to know, i didn't find that info in the handbook.

 

Thank you very much.

brycemd

The filter can also be used to have multiple services on the same port, so long as it's possible to narrow it down.

 

For example, if you have two external services that require a port forward on 443 to two different internal servers, you can use the VIP filter to narrow it down to the source public IP of the service. That way you can have two seemingly conflicting VIPs without the need to do port translation(or use a different public IP on your side).

lobstercreed

I don't recommend using port-forwarding VIP unless absolutely necessary.  I have none in production, as my public servers have a 1-to-1 mapping.  Firewall policy is where only port 443 (HTTPS) is allowed.  No reason to complicate things unless you need multiple servers to listen on the same IP (something I know happens often enough for some folks).