Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Canapla
New Contributor

SSL Certificate offloading

Hi everybody

 

I have a Fortigate 40F that answer to an A record DNS of my domain "fortigate.example.com". Inside the local network I have a WEB server that I need for work, another A record that point to the same public IP address that answer to  api.example.com.

I have setup the virtual server that answer to the different name and I can find both, but the problem is with the certificate. With the different name I can bypass the double 80 and 443 port, but the proxy offload the SSL certificate of the fortigate to the web server and navigating to the web site I get an error couse the site api.example.com have the certificate of fortigate.example.com.

I have search online but seems it's not possible to disable the certificate offload and the SO of the fortigate doesn't support the wildcard of let's Encrypt.

Someone have an idea how to solve? I'm quite new with fortigate so please if you have a solution explain it like I am an idiot :p

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello Canapia,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Canapia,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards.

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Canapia,

 

Could you please contact our support via https://support.fortinet.com/welcome/#/

 

Regards,

Anthony-Fortinet Community Team.
gfleming
Staff
Staff

Can you just confirm so I can be sure I understand you, you want to be able to reach the FortiGate on HTTPS (Web VPN, admin GUI, etc) using a hostname that points to its public IP address.

And you want to create a VIP with a web server behind it that is using another hostname but using the same IP address as the FortiGate WAN?

 

Yes this is possible! However, you need to understand that you'll need to use different ports if you want to share the same IP and port for two different servers.

 

Your FortiGate and Web Server are two different servers sharing the same IP address.

 

If you can't use a non-standard port for either the FortiGate or the Web Server, you could possibly look to using the Web Server to do some redirection for you based on the hostname. I.e. the web server could handle all port 443 connections and anything for Fortigate.example.com would get sent back to the FortiGate.

Cheers,
Graham
Labels
Top Kudoed Authors