Fortinet black logo

SSLi Deployment Guide

Home FortiADC 7.4.0 SSLi Deployment Guide

Deployment

7.4.0
7.4.0
Copy Link
Copy Doc ID 94056ed1-6b81-11eb-9995-00505692583a:448952
Download PDF

Deployment

When FortiADC is configured with SSLi mode, it acts as the SSL proxy to decrypt and encrypt SSL connections between the client and the server.

FortiADC terminates the SSL session from the client and establishes a new SSL session to the server. A certificate authority (CA) certificate and private key need to be installed on FortiADC with the "Forward Proxy” function enabled so that the server certificates can be successfully proxied and re-signed to the client.

FortiADC gets the original certificate from the server, but instead of forwarding the same certificate to the client, it creates a new one with the same CN but with different issuer and public key. This derived certificate is signed by "Local Signing CA" that is trusted by the client, so the client completes its handshake with FortiADC, and FortiADC decrypts the traffic to the security device and encrypts it to the destination.

The SNI (Server Name Indication) is a TLS extension that indicates the hostname of the SSL server that the client wants to connect to. In this version (FortiADC v6.1.0), it's a known issue that the SNI sometimes is unable to be forwarded to the destination web server, which will cause some website to be inaccessible. We will fix this issue soon.

Limitations for the SSLi function:

  • DDoS prevention is only supported in L7 Reverse Proxy.

  • Bypass function is only supported in L2/L3 transparent proxy.

  • RS_pool only supports one member (RS).

  • vDOM is not supported.

  • IPv6 is only supported in L7 Reverse Proxy.

  • Pre-login disclaimer message configuration is not supported.

Enabling SSL mode

Before beginning the deployment, you should enable the SSLi mode on FortiADC first. All the settings on the FortiADC will be erased.

execute ssli mode enable

This operation will change all settings to factory defaults. FortiADC will reboot.

You will see the SSLi Proxy menu if the SSLi mode is enabled.

When FortiADC is working in SSLi mode, the following features are not supported and are removed from GUI and CLI.

  • GLB, LLB

  • Intrusion Prevention, IP Reputation, Geo IP Protection

  • Central Management, User Authentication

All settings related to SSLi must be configured through the GUI. We do not support configuring this function through CLI, but you can view all the SSLi configurations by CLI.
Previous
Next

Deployment

When FortiADC is configured with SSLi mode, it acts as the SSL proxy to decrypt and encrypt SSL connections between the client and the server.

FortiADC terminates the SSL session from the client and establishes a new SSL session to the server. A certificate authority (CA) certificate and private key need to be installed on FortiADC with the "Forward Proxy” function enabled so that the server certificates can be successfully proxied and re-signed to the client.

FortiADC gets the original certificate from the server, but instead of forwarding the same certificate to the client, it creates a new one with the same CN but with different issuer and public key. This derived certificate is signed by "Local Signing CA" that is trusted by the client, so the client completes its handshake with FortiADC, and FortiADC decrypts the traffic to the security device and encrypts it to the destination.

The SNI (Server Name Indication) is a TLS extension that indicates the hostname of the SSL server that the client wants to connect to. In this version (FortiADC v6.1.0), it's a known issue that the SNI sometimes is unable to be forwarded to the destination web server, which will cause some website to be inaccessible. We will fix this issue soon.

Limitations for the SSLi function:

  • DDoS prevention is only supported in L7 Reverse Proxy.

  • Bypass function is only supported in L2/L3 transparent proxy.

  • RS_pool only supports one member (RS).

  • vDOM is not supported.

  • IPv6 is only supported in L7 Reverse Proxy.

  • Pre-login disclaimer message configuration is not supported.

Enabling SSL mode

Before beginning the deployment, you should enable the SSLi mode on FortiADC first. All the settings on the FortiADC will be erased.

execute ssli mode enable

This operation will change all settings to factory defaults. FortiADC will reboot.

You will see the SSLi Proxy menu if the SSLi mode is enabled.

When FortiADC is working in SSLi mode, the following features are not supported and are removed from GUI and CLI.

  • GLB, LLB

  • Intrusion Prevention, IP Reputation, Geo IP Protection

  • Central Management, User Authentication

All settings related to SSLi must be configured through the GUI. We do not support configuring this function through CLI, but you can view all the SSLi configurations by CLI.
Previous
Next