Hi,
I have two websites hosted internally on 192.168.1.10 through IIS as follows
https://website1.com = 192.168.1.10
https://website2.com = 192.168.1.10
I have created two A records in my public domain DNS, then on FortiGate I created virtual servers
And on firewall policy created policy
Incoming Interface: WAN
Outgoing Interface: LAN
Destination: Web server IP
Service: HTTPS
Inspection Mode: Proxy based
NAT: Off or ON
Still not able to access any of the websites. What have I missed?
Hi,
First, SSL offload mode "client<->FortiGate" means that the client <-> FortiGate path uses TLS, but the FortiGate <-> Server segment is plaintext HTTP. Since you're using port 443 for the real-servers, that suggests a mismatch. FortiGate is sending plaintext to your real-servers, while those servers probably(?) expect encrypted HTTPS.
You should either switch to SSL full-mode, or forward the traffic to plaintext HTTP port of your real-server(s) (if they are ready to process plaintext HTTP traffic).
Second, it is a bit strange that your two real-servers are the same IP and the same port. This feature is typically used to redirect traffic to different real-servers. If everything really goes to a single real-server in your scenario, then you should consider two other options that are even simpler:
1, Just a basic VIP (only if the realserver is supposed to terminate the TLS connection and has its own valid certificate)
2, The same HTTPs-type server-load-balance VIP, but leave the balancing method to "static" and use just a single real-server. (no need to duplicate it)
I have two websites hosted internally on 192.168.1.10 through IIS as follows
https://website1.com = 192.168.1.10
https://website2.com = 192.168.1.10
Since both websites are hosted on the same real server, there is no need for load balancer on your Fortigate. Your web server will serve the right content.
Do you really need to do deep inspection on the Fortigate? If so, don't use the factory certificate. Or at least ensure it is trusted by the clients and that the issuer of your real server certificate is trusted by Fortigate.
And on firewall policy created policy
Destination: Web server IP
Destination should be your "Websites" VIP object.
Still not able to access any of the websites. What have I missed?
You will need to provide a lot more details (specific browser error message, relevant Fortigate config snippets, PCAP, flow debug, WAD debug, etc.) if you seek a more specific answer.
Hi Pminarik
If I go with basic VIP then I won't be able to differentiate between website1.com and website2.com, same will be with Load balancing method - static.
The differentiation is relevant only for deciding to which real-server to send the traffic. In your screenshot the server is the exact same for both (identical IP:port for both), therefore there is no purpose to this differentiation.
If this was just a quickly stitched together example picture and you're actually using two different real-servers, then you can ignore this part of the advice.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.