Hi Camilian,

 

A series of VIP or virtual servers configuration could help you out of this.

 

Let's say, 10.10.10.1/30 is your Internet public IP, which is configured on the "wan" interface of your FortiWifi.

192.168.1.1/24 is your server-1(80), which connected with port1 of the Fortiwifi.

192.168.2.1/24 is your server-2(443), which connected with port2 of the Fortiwifi.

 

Now, firstly you need to configure 2 VIPs.

 

config firewall vip     edit "Server-1"         set extip 10.10.10.1         set extintf "wan"         set portforward enable         set mappedip "192.168.1.1"         set extport 8080         set mappedport 80     next

    edit "Server-2"         set extip 10.10.10.1         set extintf "wan"         set portforward enable         set mappedip "192.168.2.1"         set extport 8443         set mappedport 443

    next

end

 

Second, you need to configure a policy with these two VIPs.

config firewall policy

edit 1         set name "To_Server-1"         set srcintf "wan"         set dstintf "port1"         set srcaddr "all"         set dstaddr "Server-1"    ### The first VIP you configured.         set action accept         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable

next

edit 2

edit 1         set name "To_Server-2"         set srcintf "wan"         set dstintf "port2"         set srcaddr "all"         set dstaddr "Server-2"    ### The first VIP you configured.         set action accept         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable

next

end

 

Now, you should be able visit your 2 servers from Internet. For your 80 server, use URL "http://10.10.10.1:8080" and for 443 server, use URL "https://10.10.10.1:8443".

Good examples, but I would not do that.

 

1: no need for NAT enable in the two fwpolicies ( it will work but understand what NAT is actuallky doing a DNAT  VIP )

 

2: 2nd I would define fwpolicy for a port-based_forwarding  VIP with understand the  fact it's a port-based-forwarding

 

OUtside it's 2 thumbs up from me

 

Ken

 

just to add that a VIP is much more general than as used in the example. You can map from port 80 to 80 (to just forward HTTP traffic but not changing the port number), and you can forward multiples ports with multiple VIPs to the same internal address if you port-forward.

And don't expect that you can ping your server from outside! ICMP is not port-forwarded, it's not even TCP. But you can create an ICMP forwarding VIP...

In the end, if you've got multiple VIPs you can group them all together in a VIP group and just use one policy. As service you should only allow the forwarded ports, of course.

Thank you for the detail information.

I am new to the configuration. I am getting the following message.

 

This page can’t be displayed Make sure the web address [link]https://x.x.x.x:8443[/link] is correct.Look for the page with your search engine.Refresh the page in a few minutes.[/ul]

Do I need to configure NDS?

 

I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.

 

Thank you

Camilian wrote:

Thank you for the detail information.

I am new to the configuration. I am getting the following message.

 

This page can’t be displayed Make sure the web address https://x.x.x.x:8443 is correct.Look for the page with your search engine.Refresh the page in a few minutes.

Do I need to configure NDS?

 

I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.

 

Thank you

Hi, did you mean DNS?

Truth of the Day: "if you use an URL with a numeric IP address you don't need DNS."

 

Seriously, without your configuration we can't even guess -