Configuring virtual servers
The virtual server configuration supports three classes of application delivery control:
- Layer 7—Persistence, load balancing, and routing are based on Layer-7 objects, such as HTTP headers, cookies, and so on.
- Layer 4—Persistence, load balancing, and network address translation are based on Layer-4 objects, such as source and destination IP addresses.
- Layer 2—This feature is useful when the request’s destination IP is unknown and you need to load-balance connections among multiple next-hop gateways.
Before you begin:
- You must have a deep understanding of the backend servers and your load-balancing objectives.
- You must have configured a real server pool and other configuration objects that you can incorporate into the virtual server configuration, such as persistence rules, user-defined profiles, content routes and rewriting rules, error messages, authentication policies, and source IP address pools if you are deploying NAT.
- You must have Read-Write permission for load-balance configurations.
Unlike virtual IPs on FortiGate or virtual servers on FortiWeb, virtual servers on FortiADC are activated as soon as you have configured them and set their status to Enable. You do not need to apply them by selecting them in a policy. |
Two Options for virtual server configuration
FortiADC provides two options for configuring virtual servers—Basic Mode and Advanced Mode.
In Basic Mode, you are required to specify only the basic parameters needed to configure a virtual server. FortiADC automatically configures those advanced parameters using the default values when you click the Save button. The Basic Mode is for less experienced users who may not have the skills required to configure the advanced features on their own.
The Advanced Mode, on the other hand, is ideal for experienced or "power" users who are knowledgeable and comfortable enough to configure all the advanced features, in addition to the basic ones, on their own.
All virtual servers you have added, whether they are configured through Basic Mode or Advanced Mode, end up on the Load Balance > Virtual Server page. You can view the configuration details of a virtual server by clicking the entry.
Basic virtual server configuration
This option is used mostly for beginners who have less experience with FortiADC.
To configure a virtual server using Basic Mode:
- Click Server Load Balance > Virtual Server.
- Click Add >Basic Mode to open the Basic Mode configuration editor.
- Complete the configuration as described in Virtual server configuration Basic Mode.
- Click Save.
Settings | Guidelines |
---|---|
Name |
Specify a unique name for the virtual server configuration object. Valid characters are Note: Once saved, the name of a virtual server configuration cannot be changed |
Application |
Select an application from the list menu:
|
Address |
Specify the IP address provisioned for the virtual server. |
Port |
Accept the default port number (80) or specify a port , ports, or a range of ports of your preference. Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only, |
Interface |
Select a network interface from the list menu, or specify a new one. |
Real Server Pool |
Select a real server pool (if you have one already configured) or create a new one. |
SSL |
Applicable to HTTP(S) applications only. Note: SSL is disabled by default, you must check the check box to enable it. Once SSL is enabled, you must select an profile from the Client SSL Profile drop-down menu below. |
Client SSL Profile |
Note: This setting applies to HTTPS, TCPS, HTTP2 H2, and SMTP applications only. In the case of HTTPS, it becomes available only when SSL is enabled. Select a client SSL profile from the drop-down menu. |
Protocol |
Note: This setting becomes available only when Application is set to IP. Enter up to eight numeric values or value ranges corresponding to the protocols you'd like to use, separated by space. |
Domain Name |
Note: This field becomes available only when Application is set to SMTP. Specify the FQDN. |
Advanced virtual server configuration
This option is used mostly by advanced users of FortiADC.
To configure a virtual server using the Advanced Mode:
- Go to Server Load Balance > Virtual Server.
- Click Add > Advanced Mode to display the configuration editor.
- Complete the configuration as described in Virtual server configuration in Advanced Mode.
- Save the configuration.
Settings | Description |
---|---|
Basic |
|
Name |
Enter a unique name for the virtual server. Valid characters are Note: Once you have saved the configuration, you cannot edit the virtual server name. |
Status |
|
Type |
|
Address Type |
Note: IPv6 is not supported for FTP, HTTP Turbo, RDP, or SIP profiles. |
Comment |
A string used to describe the purpose of the configuration |
Traffic Group |
Select the traffic group of your choice if you have one already configured, or create a new one by clicking Create New. Note: FortiADC will use the "default" if you do not choose or create a traffic group of your own. |
Specifics |
Note: Some of the settings in this part of the GUI apply to both Layer-7 and Layer-4 virtual servers, and some apply to Layer-7 virtual servers only, but none of them applies to Layer-2 virtual servers. |
Schedule Pool |
OFF (disabled) by default. Click the button to enable it. |
Schedule Pool List |
Available only when Schedule Pool is enabled. (See above). Follow the instructions onscreen to:
|
Content Routing |
OFF (disabled) by default. Click the button to enable it.
|
Content Routing List |
Available only when Content Routing is enabled. Follow the instructions onscreen to:
Note: You can select multiple content routing rules in virtual server configuration. Rules that you add are checked from top to bottom. The first rule to match is applied. If the traffic does not match any of the content-routing rule conditions specified in the virtual server configuration, the system will show some unexpected behaviors. Therefore, it is important that you create a “catch-all” rule that has no match conditions. In the virtual server configuration, this rule should be ordered last so it can be used to forward traffic to a default pool. |
Content Rewriting |
OFF (disabled) by default. Click the button to enable it. Note:
|
Content Rewriting List |
Available only when Content Rewriting is enabled. Follow the instructions onscreen to
Note: You can select multiple content rewriting rules in the virtual server configuration. Rules that you add are consulted from top to bottom. The first rule to match is applied. If the traffic does not match any of the content rewriting rule conditions, the header is not rewritten. |
Transaction Rate Limit |
Note: This setting applies to Layer-7 virtual servers only. It is not supported for HTTP Turbo profiles. Set a limit to the number of HTTP requests per second that the virtual server can process. Valid values are from 0 to 1,048,567. The default is 0 (disabled). The system counts each client HTTP request against the limit. When the HTTP request rate exceeds the limit, the virtual server sends an HTTP 503 error response to the client. |
Packet Forwarding Method |
Note: This setting applies to Layer-4 virtual servers only. Select one of the following packet forwarding methods:
Note: For FTP profiles, when Direct Routing is selected, you must also configure a persistence method.
The destination IP address of the initial request is the IP address of the virtual server. Be sure to configure FortiADC as the default gateway on the backend server so that the reply goes through FortiADC and can also be translated.
For Full NAT, NAT46, and NAT64, the source IP address is replaced by an IP address from the pool you specify. The destination IP address is replaced with the IP address of the backend server selected by the load balancer |
NAT Source Pool List |
If you are configuring a Layer 4 virtual server and enable Full NAT or NAT46, select one or more source pool configuration objects. See Using source pools. |
General |
|
Configuration |
|
Address |
Enter the IP address provisioned of the virtual server. Note: You do not specify an IP address for a Layer 2 virtual server. A Layer 2 virtual server is not aware of IP addresses. Instead of routing data for a specific destination, this type of server simply forwards data from the specified network interface and port. |
Port |
Accept the default port or specify a port, ports, or port ranges of your preference. Note: The virtual server will use the specified port or ports to listen for client requests. You can specify up to eight ports or port ranges separated by space. Valid values are from 0 to 65535. Port 0 applies to Layer-4 virtual servers only, The port range option is useful in deployments where it is desirable to have a virtual IP address with a large number of virtual ports, such as data centers or web hosting companies that use port number to identify their specific customers. Statistics and configurations are applied to the virtual port range as a whole and not to the individual ports within the specified port range. Note: If a Layer 2 virtual server is assigned a network interface that uses port 80 or 443, ensure that the HTTPS and HTTP administrative access options are not enabled for the interface. Setting a port range is not supported for FTP, HTTP Turbo, RADIUS, or Layer 2 TCP profiles. |
Connection Limit |
Set a limit to the number of concurrent connections. The default is 0 (disabled). Valid values are from 1 to 100,000,000. You can apply a connection limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: This feature is NOT supported for FTP or SIP profiles. |
Connection Rate Limit |
With Layer 4 profiles, and with the Layer-2 TCP profile, you can limit the number of new connections per second. The default is 0 (disabled). Valid values are from 1 to 86,400. You can apply a connection rate limit per real server and per virtual server. Both limits are enforced. Attempted connections that are dropped by security rules are not counted. Note: Not supported for FTP profiles. |
Interface |
Network interface that receives client traffic for this virtual server. |
Resources |
|
Profile |
Select a predefined or user-defined profile configuration object. See Configuring Application profiles. |
Persistence |
Select a predefined or user-defined persistence configuration object. See Configuring persistence rules. Note: The persistence rule with Match Across Virtual Servers enabled works only with L4 virtual servers or the L7 virtual server whose profile is LB_PROF_RADIUS. |
Method |
Select a predefined or user-defined method configuration object. See . |
Real Server Pool |
Select a real server pool configuration object. See Configuring real server pools. |
Clone Pool |
Select a configuration object. See Configuring a clone pool. |
Auth Policy |
Select an authentication policy configuration object. HTTP/HTTPS only. |
Scripting |
Available only when Scripting is enabled. Follow the instructions on screen to:
Note: FortiADC allows you to combine multiple individual scripts into one combined script so that you can execute them all at once. In that situation, you can set the order in which the scripts are executed by assigning the scripts with different priorities. For more information, see Support for multiple scripts. |
L2 Exception List |
Select an exception configuration object. Layer 2 HTTPS/TCPS only. See Configuring an L2 exception list. Note: This field is only available when Type is set to Layer 2. |
HTTP Redirect to HTTPS |
This option becomes available when an HTTPS server load-balancing profile is selected. It's disabled by default. Click the button to enable. Note: If enabled, it opens HTTP service on an HTTPS virtual server which redirects traffic to an HTTP virtual server. |
Redirect Service Port |
This option becomes available when HTTP Redirect to HTTPS is enabled for an HTTPS type of server load-balancing profile, as described above. You can either accept the default port (80), or specify up to eight ports or ranges of ports of your preference. |
Error Page |
Select an error page configuration object. See Configuring error pages. Note: Not supported for SIP profiles. |
If you do not use an error page, you can enter an error message to be returned to clients in the event no server is available. Maximum 1023 bytes. Note: Not supported for SIP profiles. |
|
FortiGSLB |
|
Public IP Type |
IPv4 or IPv6 Set the Public IP type for the virtual server. |
Public IPv4 |
Virtual server public IP address. |
One Click GSLB Server |
FortiGSLB One Click GSLB server |
Host Name |
The hostname part of the FQDN, such as www. Note: You can specify the @ symbol to denote the zone root. The value substitute for @ is the preceding $ORIGIN directive. |
Domain Name |
The domain name must end with a period. e.g. example.com. |
Security |
AV profile can support HTTP/HTTPS/SMTP |
WAF Profile |
Select a WAF profile configuration object or create a new one. See Configuring a WAF Profile. |
AV Profile |
Select an existing AV profile from the drop-down menu or create a new one. See Creating an AV profile. |
DoS Protection Profile |
Select a DoS protection profile configuration object or create a new one. See Configuring DoS Protection Profile. |
Captcha Profile |
Select a Captcha configuration object. See Configuring Captcha. |
SSL Traffic Mirror |
This field applies to HTTPS and TCPS only. |
SSL Traffic Mirror |
Select the check box to enable it. Then select the ports from the list of Available Items. |
Application Optimization |
|
Page Speed |
Select a page speed optimization profile. |
Monitoring |
|
Traffic Log |
Enable to record traffic logs for this virtual server. Note: Local logging is constrained by available disk space. We recommend that if you enable traffic logs, you monitor your disk space closely. We also recommend that you use local logging during evaluation and verification of your initial deployment, and then configure remote logging to send logs to a log management repository. |
FortiView |
Enable the view virtual server from FortiView |
WCP |
Web Cache Communications Protocol |