Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DevinderSharma
New Contributor III

Server Load Balancing for HTTPs with no certs installed on Fortigate [Solved]

Hello forum members,

 

Load balancing to https servers is bit new for me. I have done in the past regular http load balancing.

 

I was under the impression that with certificates on the servers and incoming https requests being sent to one or the other real server should have nothing to do with FortiGate needing certs on it as we are not really terminating https on firewall, but simply relaying the requests over to two inside servers. But when I tried to configure virtual server, it requires SSL offloading and that of course will require certificate on FortiGate.

 

So why is it mandatory for FortiGate to do SSL offloading for load balancing?

 

The two inside servers are windows IIS with few websites that are duplicated on them. I assume, worst case, I need to have customer export already installed certs on these two boxes as PFX bundle and then split those into their constituent private key and public (cert) and then import into FortiGate and then use those certs (or rather I should only need one cert) for this seemingly mandatory SSL offloading. There are two options of SSL offload. One is client to FortiGate and other is full. Since client to FortiGate option will probably require firewall to talk to servers on port 80 (which will not work as web servers have http to https redirect set up in IIS), how does full offloading then work? Will it use 443 on backend as well?

 

Thank you all in advance for some advice on this.

 

 

1 Solution
DevinderSharma

I ended up importing the PFX bundle in the firewall and setting up full SSL offloading back to member servers. Without Certs, we cannot do SSL offloading and without SSL offloading, we cannot do the HTTPs load balancing and without HTTPs load balancing, we could use TCP 443 load balancing, but with that, there is no option to do session persistence that is needed with HTTPS connections.  There is an option for static load balancing, that seems to use source IP based distribution to the real servers and that might work if someone is looking for HTTPS load balancing without using certs. I have not tried that, and documentation states that there are some limitations that if a real server is added or removed, then distribution logic changes and during that time, some existing users who were on other real servers may get dropped.

View solution in original post

4 REPLIES 4
DevinderSharma
New Contributor III

I do find an option where if I don't use https, but pick TCP and specify port 443, then I dont have any SSL offloading requirements. I am hoping this will achieve what I wanted to do.

DevinderSharma

Further seemingly HTTP with port 443 can be used as that allows setting up persistence.

DevinderSharma

I was wrong. HTTP with 443 does not work and is not treated as https.

 

My needs are HTTPS load balancing with HTTP cookie insertion by fortigate as I have no idea of how backend IIS session persistence works and even if does work, the cookies inserted by IIS into user session should be transparent to the fortigate, so it could anyway send the traffic to the second IIS server that was not the one that has the original connection to.

 

Can someone please advise if exporting SSL cert PFX bundle from one of the server and importing into fortigate is the best solution? The cert on server is a wild card cert.

 

Thanks

DevinderSharma

I ended up importing the PFX bundle in the firewall and setting up full SSL offloading back to member servers. Without Certs, we cannot do SSL offloading and without SSL offloading, we cannot do the HTTPs load balancing and without HTTPs load balancing, we could use TCP 443 load balancing, but with that, there is no option to do session persistence that is needed with HTTPS connections.  There is an option for static load balancing, that seems to use source IP based distribution to the real servers and that might work if someone is looking for HTTPS load balancing without using certs. I have not tried that, and documentation states that there are some limitations that if a real server is added or removed, then distribution logic changes and during that time, some existing users who were on other real servers may get dropped.

Labels
Top Kudoed Authors