sorry my mistake.

i made the reverse and do the nat as shown...

From what I can tell, you basically have a server behind the fgt that has a public IP that is separate from the fgt's own IP.  So you likely need to se up:

1. A VIP (port forward) from the external IP to the private server IP

2. A Firewall policy for the above

3. IP address of the private server IP

4. One-to-one IP pool for the External IP

5. A firewall policy for the private server IP going out using the IP one-to-one pool.

You are right. This is the scenario i use now but i don't use one-to-one ip pool but overload and it works perfect for me. But i dont want to distribute the mail server to the internet for OWA access so i need a reverse proxy for this. So i thought to use fgt's load balancing feature.

This is why i am trying this.

What Dave said is: for outgoing traffic you can use pool or NAT with overload. For incoming traffic you don't need any NAT. Of course it isn't relevant to the error you see, just off topic.

Regarding the error you have: can you explain how do you test it? The object 'test_exchange' doesn't look like VIP object. Can you run following diag commands during the test?

diag debug flow filter addr YOUR-SOURCE-IP diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200 diag debug enable

About how i am testing it, i try from outside of my company network (i.e my home network) to access the url https://mycompanypublicip

The object "test exchange" is not a vip object but a virtual server object.

This is a simplified image of my example.

What i want is internet users have access to mail server (OWA).

My running config is exactly what Dave said and it is working. But in this scenario i am distributing the web/mail server to the internet.

My goal is to create a reverse proxy at the fortigate to avoid the above situation.

So have done some things

1. created a health check

2. created a virtual SERVER (not vip) with

    a. Type = HTTPS

    b. Interface = Wan interface

    c. Virtual server ip = 1 ip form the range of the 16

    d. Virtual server port = 443

    e. LB Method = static

    f. Persistence = none

    g. SSL offloading = tried both

    h. Real Servers = 192.168.1.241 port 443 (my exchange server)

3. created ipv4 policy as shown at previous posts with destination address the virtual server object.

Thats all i have done.

I dont know if i missing something.

Is this the right procedure?

ps i am not good with debug commands

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server

This is what i tried but with https/443 and not 8080 and http

Do you have more than one exchange server? I'm trying to understand why do you need load balancing.

In the example you sent you need the VIP object as a destination. I don't think you set VIP as a destination in the firewall policy. Maybe you could share your config (without sensitive information) as it could help us to understand your scenario.

No, i have only one exchange server. I dont need load balancing. I need load balancing feature to use it as a reverse proxy.

As for the example i know that i didnt use any vip object. Using a vip object works fine. But i would like to use virtual server object for reverse proxying as i mentioned before.

Is this possible?

?????