Fortinet black logo

High Performance VPN Load balancing with FortiADC and FortiGate

Home FortiADC 5.4.0 High Performance VPN Load balancing with FortiADC and FortiGate

Solution 2: Layer4 SLB In-Line Deployment for both IPsec and SSL VPN Load-Balancing

5.4.0
7.4.0
5.4.0
Copy Link
Copy Doc ID db40bf56-6ed7-11ea-9384-00505692583a:814641
Download PDF

Solution 2: Layer4 SLB In-Line Deployment for both IPsec and SSL VPN Load-Balancing

Topology 2: FortiADC in front of FortiGates and taking over original FortiGate WAN settings

Key configurations:

  1. Move the WAN IP to FortiADC, and change the original FortiGate WAN IP to the internal IP address.
  2. Configure Layer4 SLB and publish the VIPs and its listening ports for FortiClient users.
    1. Create separate virtual servers for IPsec VPN and SSL VPN.
    2. You must use DNAT method in SLB VS configuration profile.
    3. Other settings:
      1. IPsec VPN load-balancing: specify the ports 500, 4500, and select UDP profile and SRV_ADDR persistence.
      2. SSL VPN load-balancing: specify the port configured on FortiGate (example: 10443). Select TCP profile and SRC_ADDR persistence.
  3. Configure route policy on FortiADC, and add 1-to-1 NAT according to the FortiGate settings to take over the FortiGate network functions.FortiADC. None-SSL VPN traffic will be routed to the original FortiGate.

Notes:

  • Must change FortiGate network settings and move the original WAN to internal subnet.

Previous
Next

Solution 2: Layer4 SLB In-Line Deployment for both IPsec and SSL VPN Load-Balancing

Topology 2: FortiADC in front of FortiGates and taking over original FortiGate WAN settings

Key configurations:

  1. Move the WAN IP to FortiADC, and change the original FortiGate WAN IP to the internal IP address.
  2. Configure Layer4 SLB and publish the VIPs and its listening ports for FortiClient users.
    1. Create separate virtual servers for IPsec VPN and SSL VPN.
    2. You must use DNAT method in SLB VS configuration profile.
    3. Other settings:
      1. IPsec VPN load-balancing: specify the ports 500, 4500, and select UDP profile and SRV_ADDR persistence.
      2. SSL VPN load-balancing: specify the port configured on FortiGate (example: 10443). Select TCP profile and SRC_ADDR persistence.
  3. Configure route policy on FortiADC, and add 1-to-1 NAT according to the FortiGate settings to take over the FortiGate network functions.FortiADC. None-SSL VPN traffic will be routed to the original FortiGate.

Notes:

  • Must change FortiGate network settings and move the original WAN to internal subnet.

Previous
Next