Thanks for the response! I' ve added multiplexing for posterity but I' m unable to have the CLI show that I' m set as ssl-mode half. I can run the command and the GUI seems to reflect this change but it' s not showing up when I run: show firewall vip ' VipName' . The current results are: config firewall vip edit " MySiteHTTPS" set type server-load-balance set extip xx.xxx.xxx.xx set extintf " amc-sw1/1" set server-type https set monitor " Do A Test" set ldb-method least-session set persistence ssl-session-id set extport 443 config realservers edit 1 set ip 10.0.0.x set port 80 next edit 2 set ip 10.0.0.xx set port 80 next end set http-multiplex enable set ssl-certificate " mySite" set ssl-http-location-conversion enable next end I changed the ssl-mode to full and it did show up in the show command, however it broke everything and I changed it back. I am going to be updating to MR3 Partch 3 today because I' m on MR2 Patch 7 which is a special patch for early WAP adopters. Crossing my fingers that this is just a small bug instead of a bigger config problem. Do you have any other ideas as to what it could be Selective? Thanks again!

Hi Nick, using " SSL-Mode full" will use ssl traffic from client to server, in half mode it will use ssl to the fortigate and then unencryptet traffic to the server. it might just be that the servers dont like your load balancing. What does your real server do ?

Thanks, I' m aware of what full and half do and currently the GUI reflects that I am using Client---->Fortigate (half) but the CLI isn' t showing the option ' SSL-Mode half' when I run a Show command. It will only show the option if It' s set to ' SSL-Mode full' . The real servers are running a pretty complicated student information system (portal) for a college. The servers however, are responding and operating normal with the current load balancing configuration with the exception of the http-conversion. Https://my.site.com is working exactly as expected. I would assume the reply to replace http with https would happen at the FGT and have nothing to do with the servers though. Am I mistaken? I have submitted a ticket to Fortinet with hopes that they can shed some light on this situation. Thanks again. Nick.

SSL-mode half, is the default setting, therefore it wont show up with a " show" command, you need to type " get" to see it, or show-fullconfiguration

sho fu ...

without hyphen.

Hey guys, Thanks for the tips in the CLI. Still not having any luck and my ticket seems to be less than important to Fortinet... Any other ideas? I' m a firm believer that DNS causes 99% of problems :) But I' m 99% sure everything is working as it should here. Just to rule out the possibility of the application/webservice that I am load balancing wasn' t causing the issue I setup a test load balancer using 1 real server that is just hosting an index page over https. This behaved the exact same way and I was unable to get the load balancer to change the header to https. My main question is that if the load balancer is only listening on port 443, how is it suppose to respond to a port 80 request and then reply to the client to use port 443? I' m used to using IIS where in order to force SSL both port 80 and port 443 need to be open. In this case, it' s not (or so it looks that way). Can anyone explain this to me? Perhaps my firewall policy is setup wrong? In my initial concern from my first post I' m using an outside IP address and the VIP is attached to the outside interface (12.xxx.xxx.xx) and the real servers are on the internal network (10.x.x.x). And the firewall rule is allow any source to the load balancer and any service. The other test that I setup to the simple index page on a different server was all on the internal (10.x.x.x) network. The VIP load balance and real server were both on the 10.x.x.x subnet. I created a rule identical to the other VIP and once again everything worked if I placed https:// as the header, however http:// would not redirect. Thanks for reading and helping guys. I assume it' s something pretty simple that I' m over looking. Nick.

Hi, I don' t think it' s pretty simple but pretty annoying. One thought: did you configure your VIP as port forwarding, or ' all ports' ? Might stop here already.

I' m a little confused by your question. A Loadbalanced VIP automatically sets extport to 443 if server-type is https. However, I do not have port forwarding enabled on the Loadblanced VIP either. I' d love it if I could enable " all ports" on the VIP...however, I have been unable to find a way to do so. Nick.