Hi Abelio,

Thank you for reply.

So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

Younes wrote:

So i must use Pserver IP to access to my server with SSH not with Vserver IP. 

Exactly; same thing for FTP/SFTP/SCP access.

regards

Hi abelio thank you for your repley,

i have another problème:

- may fortiweb is on mode reverse proxy.

- port 3 : connected to the DMZ

 - port 2 : conneted to firwall fortigate.

- port 6 : gateway of sevrer on the DMZ 

so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.

i didn't understand Why and where is th problème.

Please help. 

Younes wrote:

- port 3 : connected to the DMZ

 - port 2 : conneted to firwall fortigate.

- port 6 : gateway of sevrer on the DMZ 

so i created the to Vserver and when i modify the gateway oh the physical to IP of the port 3 i can't reach the server via Vserver so i turned the gateway to @ IP of port 6 ,the server will be reachable Via Vserver.

Younes, sans voir la topologie, je ne suis pas exactement certain que je comprends le problème... mais il semble que  port2 de FortiWeb devrait avoir le vserver attaché ... et pas le port6. Comme celui-ci:

Internet --- FortiGate --- port2•FortiWeb•port3 --- web servers

                           vserver1

                           route 0.0.0.0/0 via port3

vserver1 (reverse proxy) va accepter le HTTP et après, FortiWeb utilise sa table routing. J'espère que ça aide...

Courtney

Hi Courtney,

thanks for your answer,  I can´t  find  the solution for this problem ..

 I  have config in the Fortigate two rules :

 1. MPLS( SRddres 192.168.0.78)   to WAF( with VIP  172.10.15.62---->172.18.15.62 (vserver ) forwarding only port 80  )

 2. MPLS( SRddres 192.168.0.78)  to  LAN (back-end server 172.10.15.62  for  rdp,ssh etc..) 

the first policy is working good but second rule  not  working  drop  the requests for port rdp,ssh etc.. you can to watch how  the second rule go to  the back-end server  but drop  the request.

what can I do ?

attach new topology,

thanks,

Hi Dieorqui,

Your topology is like FortiWeb 5.5.3 Administration Guide page 79.

It shows a FortiGate RDP/SSH/FTP port forward to the physical web servers' IP -- not to FortiWeb's vserver IP, which is a proxy that only receives HTTP/HTTPS and will drop everything else. (Abelio is correct.)

That's why your FortiWeb setting should be "set ip-forward disable" -- not enabled. Your router should also port forward RDP/SSH/SFTP to your web servers, not to FortiWeb, which is an extra hop. (FortiWeb cannot scan RDP/SSH, so there is no benefit. It would just increase latency.)

"set ip-forward enable" is not recommended. If you really want to use it, though, try this config + topology.

In the docs it describes more: