Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
slemke
New Contributor II

Fortigate SSL Offloading with SNI

Hello everybody,

 

we are actually using on a Fortigate (running 7.0.x OS) the SSL Offloading Feature for checking inbound-Traffic (!) to an Web-Server located in our dmz:

 

 

config firewall vip
edit "Loadbalancer SSL www.example.org"
set comment "for IPS on SSL"
set type server-load-balance
set extip 1.2.3.4
set extintf "wan1"
set server-type https
set monitor "192.168.1.22"
set extport 443
config realservers
edit 1
set ip 192.168.1.22
set port 443
next
end
set ssl-mode full
set ssl-certificate "www_example_org 03-23"
set ssl-client-renegotiation deny
set ssl-client-session-state-type disable
next
end

config firewall policy
edit 99
set srcintf "wan1"
set dstintf "dmz"
set action accept
set srcaddr "all"
set dstaddr "Loadbalancer SSL www.example.org"
set schedule "always"
set service "HTTPS" "HTTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "my_certificate-inspection"
set ips-sensor "my_protect_server"
set application-list "my_app_protect_server"
set logtraffic all
next
end

 

 

 

 

The "www_example_org 03-23" is an officially issued certificate for my website ("www.example.org").

 

Ths configuration is realized in this way because I want the Fortigate to inspect the traffic (see my_app_protect_server and my_protect_server).  Therefore the Fortigate needs to "crack" the connection and re-encrypt it using the official certificate.

 

Up to here everything is fine and working.

 

My goal is to host multiple websites on one public ip (in the example 1.2.3.4) - e.g. www.example1.org, www.example2.org and so on.  I need this because of limited public IPs on my wan-side.

 

Therefore I need to use SNI - but I do not have either an idea if this is possible with the Fortigate nor how to configure this.  Simply using more than one "realserver" will not solve the problem, I can only use one certificate for re-encrypt the traffic (set ssl-certificate "www_example_org 03-23").

 

I have found this: https://community.fortinet.com/t5/Support-Forum/server-load-balancing-finally-works-since-FOS-6-4/m-...
At the missing features "SNI" is mentioned - is this right? Is it also true for the latest FortiOS versions?


Can anybody assist me here?

Sebastian

1 Solution
lol
Staff
Staff

Hello,


This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.

 

example:

 

config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end

 

 

note:

The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc

 


Regards

View solution in original post

8 REPLIES 8
rosatechnocrat
Contributor II

Hi Yes, SNI field is supported in version 7.0 onwards. You can modify the SSL-SSH profile to have SNI. 

 

config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end

For more details you can look below article. 

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/850344/define-multiple-certificates-...

Rosa Technocrat --

Also on YouTube---

Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
slemke

Hi!

this did not work, my backend Server complains about a mismatch between SNI und HTTP-Header:

Hostname www.example1.org provided via SNI and hostname www.example2.org provided via HTTP are different

 

The method @lol described has worked.

 

But it´s not a complete SNI - I would expect the Fortigate sets both (SNI und HTTP Post header) correctly?

When interested I can supply complete config-snippets.

Sebastian

lol
Staff
Staff

Hello,


This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.

 

example:

 

config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end

 

 

note:

The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc

 


Regards

slemke
New Contributor II

Hi!

 

Thanks a lot, that works. I have to use two internal IP-adresses - but that´s not the problem. The problem - only using one external adress - was solved.
The SSL-Certificate was a Wildcard-Cert - so, this was fine.

 

I guess this is the only way to solve this (see above post from @rosatechnocrat) ? Are there any plans to implement SNI "fully"? Or is it a feature fo which FortiWeb must be used.

 

Thanks again,

Sebastian

matteocostanzo
New Contributor II

Is it possible to use this configuration always pointing to the same private IP???

and make the firewall work as a real reverse proxy.

without having to assign an IP for each third level domain ????

Securitymonster

I don't think so, which is quite disappointing. Any basic reverse proxy can do this:

1. One public IP with many FQDN, with each their own certificate →

2. Use SNI to send the correct certificate to the client. (Fortigate can do this, with cert replace) →

3. but then forward or even load balance traffic to whatever backend hosts you want based on the SNI information. Fortigate can not do this it seems (Fortiweb can). It can load balance traffic based on host headers in one virtual server, but a virtual server can only have the one certificate

 

 

fortimaster

Hi ¡¡¡ I would like to know your opinion on reverse proxy (I think) I have configured.

 

I want to use Fortigate as a reverse proxy to connect to internal servers. I've ceated 2 virtual servers, each of them with different SSLOFFLOAD and both with load balancing method HTTPhost. I have published a public IP (in the example 1.1.1.1) with some public DNS records (test.testdomain.com and test2.testdomain.com).

If I connect to "https://test.testdomain.com or https://test2.testdomain.com" on Internet using a browser it works fine, I connect to final servers configured using their real private IP and private IP port. I have configured a certificate *testdomain.com on the virtual sever.

 

Afther that, I've configured a policy, with the virtual server attached, deep inspection (https/ips) and the same certificate used in the virtual server.

 

The most important for me is that the TCP connection to the real server, is not made by the end internet user. That's a reverse proxy for me. I want that fortigate creates one TCP connection with the end user and another tcp connection to the real server for security purposes.

client<-->TCP SESSION 1<-->Fortigate (Reverse proxy)<--> TCP SESSION 2<-->REAL SERVER.

 

Some servers need conection to their HTTPS port and doesn't works with plain connection. Thats is why I have configured 2 virtual servers:

Virtual server 1)-->SSL OFFLOAD MODE client<-->Fortigate. This one used when connection to real servers are not to 443 port.

Virtual server 2-->SSL OFFLOAD MODE Full mode. This one used when connection to real servers are to 443 port.

 

Now my doubts:

1)In both cases the connection to the real server is stablished from Fortigate? I have doubts about "full mode". I don't want in any case direct connections from internet to my real servers (real servers are not in DMZ).

2)Why is it necessary to configure the certificate on the virtual server if you configure it, too , in the policy?

 

Thanks for your help, I attach you an image fof one of the 2 virtual servers. In this case for plain connections (ssl offload not full). Are the 2 cases a reverse proxy connection (not direct to the real servers from internet) or not?

 

capture.JPG

leoncharle72
New Contributor

Hi there! Using SSL offloading for inbound traffic to your web server sounds like a smart approach Blog Buzzz for security. If you have any specific questions or need assistance with configuration.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors