I'm a bit confused by this:
"Source: Client IP --> Destination port: 3389 --> Destination: Server A IP"
"Source: Client IP --> Destination port: 3389 --> Destination NAT IP: Server B IP"
That sounds a bit as if you want port 3389 to be forwarded to server A and B? Other parts of your comments read as if port 3389 should only be forwarded to server B.
Essentially you need two VIPs:
- one for port 3389 (either just to server B, or set as type load-balancing and forward to both server A and B)
- one for port 443 (forward this to server A only)
-> the VIPs would have to restricted to these ports externally as well.
You would then need policies for these VIPs to allow the traffic.
In addition, with port 443 - make sure the FortiGate admin port and SSLVPN ports are different, otherwise this could interfere with the VIP.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++