Server load balancing
Server load balancing (SLB) features are designed to give you flexible options for maximizing performance of your backend servers. The following topics give an overview of SLB features:
- Feature summary
- Content rewriting
- Content routing
- SSL transactions
The table below summarizes server load balancing features.
|Health check||Checks based on Layer 3, Layer 4, or Layer 7 data.|
Profiles: HTTP, HTTPS, HTTP Turbo, RADIUS, RDP, SIP, TCPS, SMTP, FTP, Diameter, RTSP, RTMP, MySQL, MSSQL
Content routing: HTTP Host, HTTP Referer, HTTP Request URL, SNI hostname, Source IP address
Content rewriting: URL redirect, 403 Forbidden, or HTTP request/response rewrite
Profiles: FTP, TCP, UDP
Content routing: Source IP address
Profiles: HTTP, HTTPS, TCP, TCPS, UDP, FTP
Note: Layer 2 load balancing is useful when the request’s destination IP is unknown and you need to load balance connections between multiple next-hop gateways.
For detailed information, see Chapter 4: Server Load Balancing.
FortiADC SLB supports offloading authentication from backend servers. The auth policy framework supports authentication against local, LDAP, and RADIUS authentication servers, and it enables you to assign users to groups that are authorized to access protected sites.
For configuration details, see Configuring authentication policies.
FortiADC SLB supports both static and dynamic caching. Caching reduces server overload, bandwidth saturation, high latency, and network performance issues.
When caching is enabled for a virtual server profile, the FortiADC appliance dynamically stores application content such as images, videos, HTML files and other file types to alleviate server resources and accelerate overall application performance.
For configuration details, see Using caching features.
FortiADC SLB supports compression offloading. Compression offloading means the ADC handles compression processing instead of the backend servers, allowing them to dedicate resources to their own application processes.
When compression is enabled for a virtual server profile, the FortiADC system intelligently compresses HTTP and HTTPS traffic. Reducing server reply content size accelerates performance and improves response times. FortiADC supports both industry standard GZIP and DEFLATE algorithms.
For configuration details, see Configuring compression rules.
FortiADC SLB also supports decompression of HTTP request body before sending it to the Web Application Firewall (WAF) for scanning according to the content-encoding header. Upon receiving a compressed HTTP request body, FortiADC first uses the zlib library to extract the HTTP body to a temporary buffer and then sends the buffer to the WAF engine for scanning.
FortiADC SLB supports content rewriting rules that enable you to rewrite HTTP requests and responses so that you can cloak the details of your internal network. You can also create rules to redirect requests.
For configuration details and examples, see Using content rewriting rules.
FortiADC SLB supports content routing rules that direct traffic to backend servers based on source IP address or HTTP request headers.
For configuration details, see Configuring content routes.
FortiADC SLB supports Lua scripts to perform actions that are not currently supported by the built-in feature set. Scripts enable you to use predefined script commands and variables to manipulate the HTTP request/response or select a content route. The multi-script support feature enables you to use multiple scripts by setting their sequence of execution.
For configuration details, see Using predefined scripts and commands.
FortiADC SLB supports SSL offloading. SSL offloading means the ADC handles SSL decryption and encryption processing instead of the backend servers, allowing the backend servers to dedicate resources to their own application processes.
SSL offloading results in improved SSL/TLS performance. On VM models, acceleration is due to offloading the cryptographic processes from the backend server. On hardware models with ASIC chips, cryptography is also hardware-accelerated: the system can encrypt and decrypt packets at better speeds than a backend server with a general-purpose CPU.
FortiADC SLB also supports SSL decryption by forward proxy in cases where you cannot copy the server certificate and private key to the FortiADC, either because it is impractical or impossible (in the case of outbound traffic to unknown Internet servers).
For detailed information, see Chapter 17: SSL Transactions.