Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ClaudioRezende
New Contributor

Fortigate - Virtual IP / One public IP for two internal web servers using same 443 ports

Hi guys,

In my domain I have two web Servers appliccation and I need to publish both. They are hosted in differente internal web servers.
I only have one public IP to do that and both need to use https port.

Ex:
webserver1.mydomain.com  / 200.10.10.10:443 > 192.168.1.10:443

 

webserver2.mydomain.com / 200.10.10.10:443 > 192.168.1.11:443

 

Is it possible configure Fotigate to do it with virtual IP?
Fortigate will be able to match different fqdn and redirect to correct web server ?

 

Regards ,

3 Solutions
amouawad
Staff
Staff

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

View solution in original post

ede_pfau
Esteemed Contributor III

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Debbie_FTNT
Staff
Staff

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

7 REPLIES 7
ede_pfau
Esteemed Contributor III

hi,

not as far as I know. The feature you are looking for is called "URL routing", and is available in a FortiADC for instance (a reverse proxy). The Fortigate knows how to exchange destination IP address and/or destination port, and that's it. A VIP will not look at a HTTP request to route the traffic to one of two internal webservers - Fortigate VIP is on layer 4, URL routing on layer 7.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
amouawad
Staff
Staff

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

ClaudioRezende

Thanks a lot !!!

FusionScott

What is the "Virtual Server IP" in this scenario? Is it the external IP? What if I'm using dynamic DNS?

abelio
Valued Contributor


@FusionScott wrote:

What is the "Virtual Server IP" in this scenario? Is it the external IP?

 


Indeed.

 


What if I'm using dynamic DNS?


A different problem to solve, but no with Fortigate.
You'll need another approach

regards


__ Abel

ede_pfau
Esteemed Contributor III

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Debbie_FTNT
Staff
Staff

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++