Fortinet black logo

SSLi Deployment Guide

Home FortiADC 7.4.0 SSLi Deployment Guide

Scenario 3 – Layer 7 Reverse Proxy

7.4.0
7.4.0
Copy Link
Copy Doc ID 94056ed1-6b81-11eb-9995-00505692583a:679009
Download PDF

Scenario 3 – Layer 7 Reverse Proxy

In this scenario, FortiADC becomes a proxy server for the client, and the security device must be a real server.

As shown in the following graphic, when traffic comes out of FortiADC from port6, its source IP will be 10.88.0.1, and destination IP 10.88.0.2. For the traffic coming out from port3, its source IP will be 10.2.0.1, and destination IP 10.2.0.163.

Topology

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool then click the tab Real Server.
  2. Click Create New to display the configuration editor. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server name.
    • Address: Enter the correct IP address.
  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct real server in your topology.
  8. Save the configuration.

Creating SSLi instance for L7 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L7 Transparent Proxy.
    • Decryption tab

      • Address: Specify the IP address for the client to access.

      • Port: Enter the port (number) for the client to access.

      • Inbound Interface: Select an interface connected to Internet side.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab

      • Address: Specify the IP address for FortiADC to listen to traffic from the security device.

      • Port: Enter the listening port (number).

      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Client side: install CA and try the SSLi function

Open the browser and navigate to https://10.1.0.50 (the address you configured in SSLi Instance > Decryption tab for the client to access), you will see the derived certificate is signed by Local Certificate (Factory).

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next

Scenario 3 – Layer 7 Reverse Proxy

In this scenario, FortiADC becomes a proxy server for the client, and the security device must be a real server.

As shown in the following graphic, when traffic comes out of FortiADC from port6, its source IP will be 10.88.0.1, and destination IP 10.88.0.2. For the traffic coming out from port3, its source IP will be 10.2.0.1, and destination IP 10.2.0.163.

Topology

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool then click the tab Real Server.
  2. Click Create New to display the configuration editor. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server name.
    • Address: Enter the correct IP address.
  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct real server in your topology.
  8. Save the configuration.

Creating SSLi instance for L7 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L7 Transparent Proxy.
    • Decryption tab

      • Address: Specify the IP address for the client to access.

      • Port: Enter the port (number) for the client to access.

      • Inbound Interface: Select an interface connected to Internet side.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab

      • Address: Specify the IP address for FortiADC to listen to traffic from the security device.

      • Port: Enter the listening port (number).

      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Client side: install CA and try the SSLi function

Open the browser and navigate to https://10.1.0.50 (the address you configured in SSLi Instance > Decryption tab for the client to access), you will see the derived certificate is signed by Local Certificate (Factory).

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next