mgrosni wrote:

Hi,

 

Welcome to the Forums.

 

SSL Offlading requires the loadbalancing feature enabled (System --> Feature Visibility --> Loadbalance) You can use the default SSL certificates, but they will generate errors in the browser (I assume for testing it's ok)

otherwise you can import your own certificates (System --> Certificates) Create one ore more virtual servers and one or more policies to allow https

http://help.fortinet.com/...db-ssl-tls-offload.htm

Hi Markus,

How can I solve the errors generated by browser by using the default SSL certificates? Is the default SSL certificates only for testing purposes? And also is it a 'must' to configure virtual servers to allow https connection to browser?

Hi Royston To clarify, do you want Server SSL Offloading (e.g. connections from Internet to your https server), or do you want to inspect https traffic coming from client to Internet?

If you want to inspect client traffic, you don't need virtual server. For Client inspection you have to configure UTM with SSL Inspection. Some explanation for Client Inspection http://cookbook.fortinet.com/preventing-certificate-warnings-54/

mgrosni wrote:

Hi Royston To clarify, do you want Server SSL Offloading (e.g. connections from Internet to your https server), or do you want to inspect https traffic coming from client to Internet?

If you want to inspect client traffic, you don't need virtual server. For Client inspection you have to configure UTM with SSL Inspection. Some explanation for Client Inspection http://cookbook.fortinet.com/preventing-certificate-warnings-54/

 

Hi Markus,

Thank you for the reply. I am working on SSL offloading for incoming traffic from internet to https server, not the client inspection part. It would be great if more advise & help are provided for me to workaround!

Basically you need a loadbalanced virtual server, ssl certificate and policy

this is an example from owa

virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen"         set extintf "any"         set server-type https         set http-ip-header enable         set extport "your external port e.g. 443 for ssl"         config realservers             edit 1                 set ip "your internal server ip"                 set port "your server port"             next         end         set http-multiplex enable         set ssl-mode full         set ssl-certificate "your ssl cert"

policy

cli --> conf firewall policy --> edit #nr         set name "wan2owa"         set srcintf "your source interface"         set dstintf "your destination interface"         set srcaddr "all"         set dstaddr "vvOwa"         set action accept         set schedule "always"         set service "HTTPS"         set utm-status enable         set comments "owa"

For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...

mgrosni wrote:

Basically you need a loadbalanced virtual server, ssl certificate and policy

 

this is an example from owa

virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen"        set extintf "any"        set server-type https        set http-ip-header enable        set extport "your external port e.g. 443 for ssl"        config realservers            edit 1                set ip "your internal server ip"                set port "your server port"            next        end        set http-multiplex enable        set ssl-mode full        set ssl-certificate "your ssl cert"

policy

cli --> conf firewall policy --> edit #nr        set name "wan2owa"        set srcintf "your source interface"        set dstintf "your destination interface"        set srcaddr "all"        set dstaddr "vvOwa"        set action accept        set schedule "always"        set service "HTTPS"        set utm-status enable        set comments "owa"

 

For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...

 

thanks Markus! As of now, I will temporary use the ssl default certificate to do some tests on my end before i implement on the actual network server.

I suggest to use / create a specific (protecting ssl server) profile

Go to Security Profiles --> SSL/SSH Inspection and create a new SSL Profile with SSL Inspection Option "Protecting SSL Server"

I suggest to use / create a specific (protecting ssl server) profile Go to Security Profiles --> SSL/SSH Inspection and create a new SSL Profile with SSL Inspection Option "Protecting SSL Server"

mgrosni wrote:

Basically you need a loadbalanced virtual server, ssl certificate and policy

 

this is an example from owa

virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen"        set extintf "any"        set server-type https        set http-ip-header enable        set extport "your external port e.g. 443 for ssl"        config realservers            edit 1                set ip "your internal server ip"                set port "your server port"            next        end        set http-multiplex enable        set ssl-mode full        set ssl-certificate "your ssl cert"

policy

cli --> conf firewall policy --> edit #nr        set name "wan2owa"        set srcintf "your source interface"        set dstintf "your destination interface"        set srcaddr "all"        set dstaddr "vvOwa"        set action accept        set schedule "always"        set service "HTTPS"        set utm-status enable        set comments "owa"

 

For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...

 

For the 'set ssl-mode full' being used, is it highly recommended to use full mode instead of half-mode for ssl offload?