Hi guys,
In my domain I have two web Servers appliccation and I need to publish both. They are hosted in differente internal web servers.
I only have one public IP to do that and both need to use https port.
Ex:
webserver1.mydomain.com / 200.10.10.10:443 > 192.168.1.10:443
webserver2.mydomain.com / 200.10.10.10:443 > 192.168.1.11:443
Is it possible configure Fotigate to do it with virtual IP?
Fortigate will be able to match different fqdn and redirect to correct web server ?
Regards ,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.
You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:
Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.
You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.
Nice, learning every day! Thanks for posting.
I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...
In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.
But then again, this feature is included in FortiOS, for free so to say.
Another thread discussing this:
Let us know if you still have questions :)
hi,
not as far as I know. The feature you are looking for is called "URL routing", and is available in a FortiADC for instance (a reverse proxy). The Fortigate knows how to exchange destination IP address and/or destination port, and that's it. A VIP will not look at a HTTP request to route the traffic to one of two internal webservers - Fortigate VIP is on layer 4, URL routing on layer 7.
You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.
You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:
Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.
You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.
Thanks a lot !!!
What is the "Virtual Server IP" in this scenario? Is it the external IP? What if I'm using dynamic DNS?
Created on 02-07-2023 06:00 AM Edited on 02-07-2023 06:03 AM
@FusionScott wrote:What is the "Virtual Server IP" in this scenario? Is it the external IP?
Indeed.
What if I'm using dynamic DNS?
A different problem to solve, but no with Fortigate.
You'll need another approach
regards
/ Abel
Hello
I just read this and i was having the same issue. Now i can have 2 web servers with only 1 public IP.
Now i have another issue. I know that i have to create an inboung rule to allow access from internet to the servers. I want to know how can i solve in case i need different rules for one server and another for the other server, because here the inboun rule points to a virtual server and this one splits the traffic to each server.
My questionto all of this is because i wish to deploy Fortigate or Fortiwaf in google cloud and as you know, all the servers have different rules os esposure to inbound rules.
Now i know that i can use this solution to protect my virtual machines, but i need to know how can i configure Fortinet to manage different rules for each destination server.
I hoe i was clear and i hope that there is a way to solve this.
Nice, learning every day! Thanks for posting.
I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...
In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.
But then again, this feature is included in FortiOS, for free so to say.
Another thread discussing this:
Let us know if you still have questions :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.