Description
This article describes how to configure FortiADC for SSL offload.
Solution
A HTTP Server is required before configure FortiADC
- Go to:
Server Load Balance -> Real Server Pool -> Real Server -> Create New
- Fill in the real server name and IP address into this form and save it
- Repeat if multiple real server
This article describes how to configure FortiADC for SSL offload.
Solution
A HTTP Server is required before configure FortiADC
As per above test case, there's a port 80 HTTP server (linux) which is having real server IP of 10.193.1.253.
The sample network topology is as follows:
Internet -> Fortigate (10.147.2.33) -> (10.147.1.254) FortiADC (10.193.1.9) -> (10.193.1.253) HTTP Server
Internet -> Fortigate (10.147.2.33) -> (10.147.1.254) FortiADC (10.193.1.9) -> (10.193.1.253) HTTP Server
The rough idea of this deployment is to access the HTTP server via internet and perform SSL offload on the FortiADC.
Make sure that the VIP (or DNAT) is already configured on the internet gateway (internet facing device) to FortiADC.
Configuration steps on the FortiADC:
Configuration steps on the FortiADC:
1) Configure Real Server IP
- Go to:
Server Load Balance -> Real Server Pool -> Real Server -> Create New
- Fill in the real server name and IP address into this form and save it
- Repeat if multiple real server
2) Configure Real Server Pool
- Go to :
Server Load Balance -> Real Server Pool -> Real Server Pool -> Create New
- Make sure Real Server SSL Profile is 'None' as the SSL should only being done on the FortiADC
- Include all the real server created on (Step 1) into the 'Member' and save
Server Load Balance -> Real Server Pool -> Real Server Pool -> Create New
- Make sure Real Server SSL Profile is 'None' as the SSL should only being done on the FortiADC
- Include all the real server created on (Step 1) into the 'Member' and save
3) Configure Client SSL Profile to use a specific Local Certificate Group
- Go to :
Server Load Balance -> Application Resources -> Client SSL
- Select which 'Local Certificate Group' to use
- In this test case, default local self-signed certificate is used on the FortiADC
- Upload your own Certificate under:
System -> Manage Certificates -> Local Certificate -> Import
- Once done, create Local Certificate Group to be use for SSL client profile:
System -> Manage Certificates -> Local Certificate Group -> Create New
- Go to :
Server Load Balance -> Application Resources -> Client SSL
- Select which 'Local Certificate Group' to use
- In this test case, default local self-signed certificate is used on the FortiADC
- Upload your own Certificate under:
System -> Manage Certificates -> Local Certificate -> Import
- Once done, create Local Certificate Group to be use for SSL client profile:
System -> Manage Certificates -> Local Certificate Group -> Create New
Select 'imported certificate'
4) Create New Virtual Server Profile
- Go to :
Server Load Balance -> Virtual Server -> Virtual Server -> Create New -> Basic setting
- Fill in the information as the sample provided:
Application: Select HTTP(s) application profile
Address: Is the listening IP address on the FortiADC (Virtual IP address)
Port: 443 (the HTTPS port for SSL offload)
Interface: The listening interface of Virtual IP address (inbound)
Real Server Pool: Select the real server pool created earlier
SSL: enable
Client SSL Profile: Select the profile created earlier
- Save the configuration
Server Load Balance -> Virtual Server -> Virtual Server -> Create New -> Basic setting
- Fill in the information as the sample provided:
Application: Select HTTP(s) application profile
Address: Is the listening IP address on the FortiADC (Virtual IP address)
Port: 443 (the HTTPS port for SSL offload)
Interface: The listening interface of Virtual IP address (inbound)
Real Server Pool: Select the real server pool created earlier
SSL: enable
Client SSL Profile: Select the profile created earlier
- Save the configuration
5) Test Access from internet
As per above image, SSL is already being implemented for HTTP server.
It is expected to appear as entrusted certificate if a self-signed local certificate is used.
