Fortinet Community

Nils · ‎08-22-2016

Hi,

Im about to install a FortiWeb, to handle OWA, Reverse proxy etc.

Where should I place the appliance...?

[ul]

Directly on Internet with an external IP?

Behind Fortigate firewall with NAT?[/ul]

If I place it behind the Fortigate, is it possible to use the Servers Certificate on the FortiWeb or do I need to do the HTTPS decyption on the Fortigate?

If I place it behind the fortigate, the FortiWeb will have an internal (NAT:ed) address.

Whats the best practice here?

jintrah_FTNT · ‎08-22-2016

Hi Nil,

The certificate is not bound to any IP, as far as the requests/traffic reach FortiWeb to its destined virtual server IP(public/private) and Port, the certificate thing would work fine.

View solution in original post

jintrah_FTNT · ‎08-22-2016

Hi..

Ideally WAF should be placed behind Firewall DMZ. You can install/import server certificates on FortiWeb for https encryption/decryption. There are some info available on the topology setup done in reverse proxy mode, please go through http://help.fortinet.com/fweb/554/index.htm#FortiWeb/fortiweb-admin/planning_topology.htm%3FTocPath%...

Nils · ‎08-22-2016

Ok,

I saw these topology setups.

There is one thing I'm not sure about, and its about the server certificates.

I the FortiWeb is behind NAT, where should I place the certificates?

Aren't these meant to be where the External IP is located?

jintrah_FTNT · ‎08-22-2016

Hi Nil,

The certificate is not bound to any IP, as far as the requests/traffic reach FortiWeb to its destined virtual server IP(public/private) and Port, the certificate thing would work fine.

Nils · ‎08-23-2016

Ok thanks!

Countryboy · ‎02-02-2017

if you migrate certificates?

just create CSR then the signed CRS will upload to Fortiweb,

Countryboy

Fortinet Community

Where to place the FortiWeb Appliance