Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ClaudioRezende
New Contributor

Created on ‎04-09-2022 05:34 AM

Fortigate - Virtual IP / One public IP for two internal web servers using same 443 ports

Hi guys,

In my domain I have two web Servers appliccation and I need to publish both. They are hosted in differente internal web servers.
I only have one public IP to do that and both need to use https port.

Ex:
webserver1.mydomain.com  / 200.10.10.10:443 > 192.168.1.10:443

 

webserver2.mydomain.com / 200.10.10.10:443 > 192.168.1.11:443

 

Is it possible configure Fotigate to do it with virtual IP?
Fortigate will be able to match different fqdn and redirect to correct web server ?

 

Regards ,

Labels:
11962
0 Kudos
3 Solutions
amouawad
Staff
Staff

Created on ‎04-10-2022 02:23 AM

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

View solution in original post

11944
ede_pfau
Esteemed Contributor III

Created on ‎04-10-2022 05:33 AM

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

11936
Debbie_FTNT
Staff
Staff

Created on ‎04-11-2022 12:40 AM

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

11918
0 Kudos
8 REPLIES 8
ede_pfau
Esteemed Contributor III

Created on ‎04-09-2022 10:34 AM

hi,

not as far as I know. The feature you are looking for is called "URL routing", and is available in a FortiADC for instance (a reverse proxy). The Fortigate knows how to exchange destination IP address and/or destination port, and that's it. A VIP will not look at a HTTP request to route the traffic to one of two internal webservers - Fortigate VIP is on layer 4, URL routing on layer 7.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
11903
amouawad
Staff
Staff

Created on ‎04-10-2022 02:23 AM

You can't do this with a standard VIP but will be able to do it using virtual servers/load balancer, which are a special type of VIP.

 

You need to enable 'Load Balance' feature in the GUI first via System > Feature Visibility > Load Balance:

 

2022-04-10_19-15.png

 

Once enabled you'll be able to configure virtual servers, with a single VIP. Select HTTP Host as the load balancing method, then add your real backend servers with their hostnames.

2022-04-10_19-11.png

 

You'll need to upload a wildcard certificate for *.mydomain.com to match both hosts.

11945
ClaudioRezende
New Contributor
In response to amouawad

Created on ‎04-11-2022 04:43 PM

Thanks a lot !!!

11859
0 Kudos
FusionScott
New Contributor II
In response to amouawad

Created on ‎02-07-2023 05:38 AM

What is the "Virtual Server IP" in this scenario? Is it the external IP? What if I'm using dynamic DNS?

7743
0 Kudos
abelio
Valued Contributor
In response to FusionScott

Created on ‎02-07-2023 06:00 AM Edited on ‎02-07-2023 06:03 AM

@FusionScott wrote:

What is the "Virtual Server IP" in this scenario? Is it the external IP?

 

Indeed.

 

What if I'm using dynamic DNS?


A different problem to solve, but no with Fortigate.
You'll need another approach

regards


__ Abel

7739
0 Kudos
nicolasj
New Contributor
In response to amouawad

Created on ‎07-28-2023 03:46 PM

Hello

 

I just read this and i was having the same issue. Now i can have 2 web servers with only 1 public IP. 

Now i have another issue. I know that i have to create an inboung rule to allow access from internet to the servers. I want to know how can i solve in case i need different rules for one server and another for the other server, because here the inboun rule points to a virtual server and this one splits the traffic to each server.

My questionto all of this is because i wish to deploy Fortigate or Fortiwaf in google cloud and as you know, all the servers have different rules os esposure to inbound rules. 

Now i know that i can use this solution to protect my virtual machines, but i need to know how can i configure Fortinet to manage different rules for each destination server.

I hoe i was clear and i hope that there is a way to solve this.

3702
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎04-10-2022 05:33 AM

Nice, learning every day! Thanks for posting.

I've found this KB article on the topic: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

In comparison to a "real reverse proxy", a FGT can distinguish real server targets by URL host part, not by the path: "test1.domain.com" and "test2.domain.com" will work, but "www.domain.com/outlook" and "www.domain.com/support" will not.

But then again, this feature is included in FortiOS, for free so to say.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
11937
Debbie_FTNT
Staff
Staff

Created on ‎04-11-2022 12:40 AM

Another thread discussing this:

https://community.fortinet.com/t5/Fortinet-Forum/Redirect-HTTP-Requests-coming-from-the-WAN-to-difer...

Let us know if you still have questions :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
11919
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.