Solution 2: Layer4 SLB In-Line Deployment for both IPsec and SSL VPN Load-Balancing
Topology 2: FortiADC in front of FortiGates and taking over original FortiGate WAN settings
Key configurations:
- Move the WAN IP to FortiADC, and change the original FortiGate WAN IP to the internal IP address.
- Configure Layer4 SLB and publish the VIPs and its listening ports for FortiClient users.
- Create separate virtual servers for IPsec VPN and SSL VPN.
- You must use DNAT method in SLB VS configuration profile.
- Other settings:
- IPsec VPN load-balancing: specify the ports 500, 4500, and select UDP profile and SRV_ADDR persistence.
- SSL VPN load-balancing: specify the port configured on FortiGate (example: 10443). Select TCP profile and SRC_ADDR persistence.
- Configure route policy on FortiADC, and add 1-to-1 NAT according to the FortiGate settings to take over the FortiGate network functions.FortiADC. None-SSL VPN traffic will be routed to the original FortiGate.
Notes:
-
Must change FortiGate network settings and move the original WAN to internal subnet.