Configuring real server SSL profiles
A real server SSL profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.
SSL profiles illustrates the basic idea of client-side and server-side profiles.
Predefined real server profiles provides a summary of the predefined profiles. You can select predefined profiles in the real server pool configuration, or you can create user-defined profiles.
Profile | Defaults |
---|---|
LB_RS_SSL_PROF_DEFAULT |
|
LB_RS_SSL_PROF_ECDSA |
|
LB_RS_SSL_PROF_ECDSA_SSLV3 |
|
LB_RS_SSL_PROF_ECDSA_TLS12 |
|
LB_RS_SSL_PROF_ENULL |
Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed. |
LB_RS_SSL_PROF_HIGH |
|
LB_RS_SSL_PROF_LOW_SSLV2 |
|
LB_RS_SSL_PROF_LOW_SSLV3 |
|
LB_RS_SSL_PROF_MEDIUM |
|
NONE |
|
Before you begin:
- You must have Read-Write permission for Load Balance settings.
To configure custom real server profiles:
- Go to Server Load Balance > Real Server Pool.
- Click the Server SSL tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in Real Server SSL Profile configuration guidelines.
- Save the configuration.
You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
Settings | Guidelines |
---|---|
Name | Configuration name. Valid characters are A -Z , a -z , 0 -9 , _ , and - . No spaces. You reference this name in the real server pool configuration.Note: After you initially save the configuration, you cannot edit the name. |
SSL |
Enable/disable SSL for the connection between the FortiADC and the real server. |
Note: The following fields become available only when SSL is enabled. See above. | |
Customized SSL Ciphers Flag |
Enable/disable use of user-specified cipher suites. When enabled, you must select a Customized SSL Cipher. See below. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. The names you enter are validated against the form of the cipher suite short names published on the OpenSSL website: |
SSL Cipher Suite List |
Ciphers are listed from strongest to weakest:
We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support. |
Allowed SSL Versions | Select SSL versions that are allowed for the connection. |
Certificate Verify | Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and may include OCSP and CRL checks. |
SNI Forward Flag | Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded. |
Session Reuse Flag | Enable/disable SSL session reuse. |
Session Reuse Limit | The default is 0 (disabled). The valid range is 0-1048576. |
TLS Ticket Flag | Enable/disable TLS ticket-based session reuse. |
Renegotiation |
This option controls how FortiADC responds to mid-stream SSL reconnection requests either initiated by real servers or forced by FortiADC. Note:
|
Renegotiation Period |
Specify the interval from the initial connect time that FortiADC renegotiates an SSL session. The unit of measurement can be second (default), minute, or hour, e.g., 100s, 20m, or 1h. Note:
|
Renegotiate Size |
Specify the amount (in MB) of application data that must have been transmitted over the secure connection before FortiADC initiates the renegotiation of an SSL session. Note: The default is 0, which disables the function. |
Secure Renegotiation |
Select one of the following options:
|
Renegotiation-Deny-Action |
This option becomes available when Renegotiation is disabled on the server side. In that case, you must select an action that FortiADC will take when denying an SSL renegotiation request:
|