Load balance multiple website

frankben · ‎01-12-2023

Hi,

I have two websites hosted internally on 192.168.1.10 through IIS as follows

https://website1.com = 192.168.1.10

https://website2.com = 192.168.1.10

I have created two A records in my public domain DNS, then on FortiGate I created virtual servers

And on firewall policy created policy

Incoming Interface: WAN
Outgoing Interface: LAN
Destination: Web server IP

Service: HTTPS

Inspection Mode: Proxy based

NAT: Off or ON

Still not able to access any of the websites. What have I missed?

pminarik · ‎01-12-2023

Hi,

First, SSL offload mode "client<->FortiGate" means that the client <-> FortiGate path uses TLS, but the FortiGate <-> Server segment is plaintext HTTP. Since you're using port 443 for the real-servers, that suggests a mismatch. FortiGate is sending plaintext to your real-servers, while those servers probably(?) expect encrypted HTTPS.

You should either switch to SSL full-mode, or forward the traffic to plaintext HTTP port of your real-server(s) (if they are ready to process plaintext HTTP traffic).

Second, it is a bit strange that your two real-servers are the same IP and the same port. This feature is typically used to redirect traffic to different real-servers. If everything really goes to a single real-server in your scenario, then you should consider two other options that are even simpler:

1, Just a basic VIP (only if the realserver is supposed to terminate the TLS connection and has its own valid certificate)

2, The same HTTPs-type server-load-balance VIP, but leave the balancing method to "static" and use just a single real-server. (no need to duplicate it)

[ corrections always welcome ]

bpozdena_FTNT · ‎01-12-2023

I have two websites hosted internally on 192.168.1.10 through IIS as follows

https://website1.com = 192.168.1.10

https://website2.com = 192.168.1.10

Since both websites are hosted on the same real server, there is no need for load balancer on your Fortigate. Your web server will serve the right content.

Do you really need to do deep inspection on the Fortigate? If so, don't use the factory certificate. Or at least ensure it is trusted by the clients and that the issuer of your real server certificate is trusted by Fortigate.

And on firewall policy created policy

Destination: Web server IP

Destination should be your "Websites" VIP object.

Still not able to access any of the websites. What have I missed?

You will need to provide a lot more details (specific browser error message, relevant Fortigate config snippets, PCAP, flow debug, WAD debug, etc.) if you seek a more specific answer.

HTH,
Boris

frankben · ‎01-12-2023

Hi Pminarik

If I go with basic VIP then I won't be able to differentiate between website1.com and website2.com, same will be with Load balancing method - static.

pminarik · ‎01-12-2023

The differentiation is relevant only for deciding to which real-server to send the traffic. In your screenshot the server is the exact same for both (identical IP:port for both), therefore there is no purpose to this differentiation.

If this was just a quickly stitched together example picture and you're actually using two different real-servers, then you can ignore this part of the advice.

[ corrections always welcome ]

Load balance multiple website

Nominate a Forum Post for Knowledge Article Creation