Fortinet black logo

SSLi Deployment Guide

Home FortiADC 7.4.0 SSLi Deployment Guide

Scenario 2 – Layer 3 Transparent Proxy

7.4.0
7.4.0
Copy Link
Copy Doc ID 94056ed1-6b81-11eb-9995-00505692583a:687440
Download PDF

Scenario 2 – Layer 3 Transparent Proxy

In this scenario, FortiADC becomes a routed hop between client and gateway.

Topology

Creating Client SSL Profile for SSLi instance

  1. Go to SSLi Proxy > Application Resources, then click the tab Client SSL.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance name.
    • Forward Proxy: Enable this option.
    • Forward Proxy Local Signing CA: Select a CA certificate that your client trusts it.
    • Backend SSL SNI Forward: Enable this option.
  4. Save the configuration.

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool then click the tab Real Server.
  2. Click Create New to display the configuration editor. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server name
    • Address: Enter the correct IP address.
  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct real server in your topology.
  8. Save the configuration.

Configuring Static Routing

  1. Go to Network > Routing, then click the tab Static.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Destination: Enter a Client IP address scope.
    • Gateway: Enter a Security Device IP address which in the Re-encryption side.
  4. Save the configuration.

This static routing forwards the packets whose destination is the client IP to the security device.

Creating SSLi instance for L3 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L3 Transparent Proxy.
    • Decryption tab
      • Inbound Interface: Selected an interface connected to the client side.
      • Client SSL Profile: Select the client SSL profile you just created.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab
      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Enabling rt-cache-strict

Run the following command:

config router setting

set rt-cache-strict enable

config rt-cache-reverse-exception

end

end

Client side: install CA and try the SSLi function

  1. Install the Local Signing CA that FortiADC selected.
  2. Configure the ADC’s Port2 as default gateway.
  3. Open the browser and navigate to https://us.yahoo.com, you will see the derived certificate is signed by "Local Signing CA".

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next

Scenario 2 – Layer 3 Transparent Proxy

In this scenario, FortiADC becomes a routed hop between client and gateway.

Topology

Creating Client SSL Profile for SSLi instance

  1. Go to SSLi Proxy > Application Resources, then click the tab Client SSL.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance name.
    • Forward Proxy: Enable this option.
    • Forward Proxy Local Signing CA: Select a CA certificate that your client trusts it.
    • Backend SSL SNI Forward: Enable this option.
  4. Save the configuration.

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool then click the tab Real Server.
  2. Click Create New to display the configuration editor. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server name
    • Address: Enter the correct IP address.
  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct real server in your topology.
  8. Save the configuration.

Configuring Static Routing

  1. Go to Network > Routing, then click the tab Static.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Destination: Enter a Client IP address scope.
    • Gateway: Enter a Security Device IP address which in the Re-encryption side.
  4. Save the configuration.

This static routing forwards the packets whose destination is the client IP to the security device.

Creating SSLi instance for L3 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L3 Transparent Proxy.
    • Decryption tab
      • Inbound Interface: Selected an interface connected to the client side.
      • Client SSL Profile: Select the client SSL profile you just created.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab
      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Enabling rt-cache-strict

Run the following command:

config router setting

set rt-cache-strict enable

config rt-cache-reverse-exception

end

end

Client side: install CA and try the SSLi function

  1. Install the Local Signing CA that FortiADC selected.
  2. Configure the ADC’s Port2 as default gateway.
  3. Open the browser and navigate to https://us.yahoo.com, you will see the derived certificate is signed by "Local Signing CA".

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next