I try to use the load balancing module as a reverse proxy.
My goal is to protect the OWA of my exchange.
So. When i create a virtual server for HTTP (any port) from my external ip to any internal web server using HTTP (real server) and also creating the necessary ipv4 policy, it works fine.
But, when i try to create a virtual server for HTTPS (any port) or HTTP (any port) from my external ip to my exchange server using HTTPS (real server) and also creating the necessary ipv4 policy, it doesn't work.
When trying from a browser the url https://mypublicip or https://mypublicip:port i get the certificate warning of the browser and when i hit continue i am receiving an error for empty response and when i try http://mypublicip or http://mypublicip:port i get connection refused or connection timed out at my browser.
Ideally i would like to configure https to https senario. I am a little bit confused about the certificates i have to use.
When Microsoft exchange server is installed a sef-signed certificate is created. Is this the certificate i have to use to the firewall also? (export from exchange server and import to firewall??)
Any ideas...???
Orestis Nikolaidis
Network Engineer/IT Administrator
sorry my mistake.
i made the reverse and do the nat as shown...
Orestis Nikolaidis
Network Engineer/IT Administrator
From what I can tell, you basically have a server behind the fgt that has a public IP that is separate from the fgt's own IP. So you likely need to se up:
1. A VIP (port forward) from the external IP to the private server IP
2. A Firewall policy for the above
3. IP address of the private server IP
4. One-to-one IP pool for the External IP
5. A firewall policy for the private server IP going out using the IP one-to-one pool.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
You are right. This is the scenario i use now but i don't use one-to-one ip pool but overload and it works perfect for me. But i dont want to distribute the mail server to the internet for OWA access so i need a reverse proxy for this. So i thought to use fgt's load balancing feature.
This is why i am trying this.
Orestis Nikolaidis
Network Engineer/IT Administrator
What Dave said is: for outgoing traffic you can use pool or NAT with overload. For incoming traffic you don't need any NAT. Of course it isn't relevant to the error you see, just off topic.
Regarding the error you have: can you explain how do you test it? The object 'test_exchange' doesn't look like VIP object. Can you run following diag commands during the test?
diag debug flow filter addr YOUR-SOURCE-IP diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200 diag debug enable
About how i am testing it, i try from outside of my company network (i.e my home network) to access the url https://mycompanypublicip
The object "test exchange" is not a vip object but a virtual server object.
This is a simplified image of my example.
What i want is internet users have access to mail server (OWA).
My running config is exactly what Dave said and it is working. But in this scenario i am distributing the web/mail server to the internet.
My goal is to create a reverse proxy at the fortigate to avoid the above situation.
So have done some things
1. created a health check
2. created a virtual SERVER (not vip) with
a. Type = HTTPS
b. Interface = Wan interface
c. Virtual server ip = 1 ip form the range of the 16
d. Virtual server port = 443
e. LB Method = static
f. Persistence = none
g. SSL offloading = tried both
h. Real Servers = 192.168.1.241 port 443 (my exchange server)
3. created ipv4 policy as shown at previous posts with destination address the virtual server object.
Thats all i have done.
I dont know if i missing something.
Is this the right procedure?
ps i am not good with debug commands
Orestis Nikolaidis
Network Engineer/IT Administrator
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server
This is what i tried but with https/443 and not 8080 and http
Orestis Nikolaidis
Network Engineer/IT Administrator
Do you have more than one exchange server? I'm trying to understand why do you need load balancing.
In the example you sent you need the VIP object as a destination. I don't think you set VIP as a destination in the firewall policy. Maybe you could share your config (without sensitive information) as it could help us to understand your scenario.
No, i have only one exchange server. I dont need load balancing. I need load balancing feature to use it as a reverse proxy.
As for the example i know that i didnt use any vip object. Using a vip object works fine. But i would like to use virtual server object for reverse proxying as i mentioned before.
Is this possible?
Orestis Nikolaidis
Network Engineer/IT Administrator
?????
Orestis Nikolaidis
Network Engineer/IT Administrator
User | Count |
---|---|
1011 | |
837 | |
481 | |
440 | |
138 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.