Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aitor
New Contributor

Redirect HTTP Requests coming from the WAN to diferent webservers based on domain name

Hello, I am trying to redirect the traffic coming from the WAN to a specific machine based on the domain name that a user types as a URL. This is somewhat tough to explain properly since this is my first time doing it so I will try to provide a detailed example.

 

The FortiGate Firmware version is 6.4.7.

I have 2 different servers in the same network that run as webservers, one machine has a 192.168.1.10/32 address and the other one 192.168.1.11/32. I have a DNS hosting were I can create several alias registries pointing to the public IP address that is set on the WAN.

The main plan is the following.

I created an entry in the DNS that points machineA.mydomain.com to the public IP address set on the WAN and I I created a Virtual IP that redirects this request directly to the webserver at 192.168.1.10/32. This one worked flawlessly since it was done directly though port forwarding.

The problem comes when I try to add a second registry that points to the same public IP address on the WAN but in this case the alias is machineB.mydomain.com and the machine is 192.168.1.11/32. I have no clue how to redirect such request to a different machine since port forwarding is not an option because both machines use the same ports (or am I wrong in this statement?)

I have come across diferent ideas but I don't know if they are possible solutions and I do not know how to apply them.

1.1. Fortigate DNS Server. I was wondering if I could create a NS entry in my DNS hosting to redirect all the request from mydomain.com including all subdomains to the Fortigate DNS server through the public IP address set on the WAN.  Then I believe I can enable what it's referred as "DNS Database table" in the Fortigate and create my own entries.

1.2. Moving such machines to the DMZ. I have been working with Fortigates for the last couple of years and I have yet to try the DMZ. Is it a viable option? I am personally more familiar with the DNS server option mentioned before.

I have seen different post written in here but it was to no avail. Hopefully I am on the right track for this and things can get sorted. If there is a proper post already with this issue fixed I apologize beforehand for opening this post and please add a link of such post.

 

Feel free to ask for more details, I feel like there's information lacking somehere I have yet to know.

 

Thank you in advance.

1 Solution
Debbie_FTNT
Staff
Staff

Hey Aitor,

have a look at this thread: https://community.fortinet.com/t5/Fortinet-Forum/Virtual-server-with-real-servers-on-different-subne...

Especially the OP's initial comment and configuration snippets.

From your description, it sounds as if you want one VIP and direct to different real servers based on the URL that is used to access the VIP, correct?

It sounds as if a load-balancing VIP and using the 'http-host' parameter is what you're looking for. Do note that the policy/VDOM/FortiGate (depending on firmware version) may need to be in proxy-mode for this option to become available, and you may need to enable the 'Load Balance' option under System > Feature Visibility to make 'Virtual Server' accessible under Firewall Objects.

Debbie_FTNT_0-1649072625446.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

4 REPLIES 4
Debbie_FTNT
Staff
Staff

Hey Aitor,

have a look at this thread: https://community.fortinet.com/t5/Fortinet-Forum/Virtual-server-with-real-servers-on-different-subne...

Especially the OP's initial comment and configuration snippets.

From your description, it sounds as if you want one VIP and direct to different real servers based on the URL that is used to access the VIP, correct?

It sounds as if a load-balancing VIP and using the 'http-host' parameter is what you're looking for. Do note that the policy/VDOM/FortiGate (depending on firmware version) may need to be in proxy-mode for this option to become available, and you may need to enable the 'Load Balance' option under System > Feature Visibility to make 'Virtual Server' accessible under Firewall Objects.

Debbie_FTNT_0-1649072625446.png

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Aitor

Hi Debbie, 

 

Thank you for the swift reply as well as the link for the thread. I wasn't aware of the Virtual Server feature and it seems that it could achieve exactly what I am aiming for. I will reply back if it works and accept your answer as a solution.

Aitor

This actually worked FLAWLESSLY. I cannot thank you enough for this Debbie. I forgot for a second switching to proxy-mode while setting up the policy and gave me a little headache but It's all good! 

 

Thank you again and have a nice week.

Debbie_FTNT

Hey Aitor,

happy to hear that everything is working for you now :)

Thanks, and have a nice week as well!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++