WAN optimization SSL proxy chaining

An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration). The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.

Examples

In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between, and when the GCM or ChaCha ciphers are used.

Example 1

In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without configuring an SSL server.

HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.

To configure FGT_A:
  1. Configure the hard disk to perform WANOpt:

    config system storage
        edit "HDD2"
            set status enable
            set usage wanopt
            set wanopt-mode mix
        next
    end
  2. Configure the WANOpt peer and profile:

    config wanopt peer
        edit "FGT-D"
            set ip 120.120.120.172
        next
    end
    config wanopt profile
        edit "test"
            config http
                set status enable
                set ssl enable
            end
        next
    end
  3. Create an SSL profile with deep inspection on HTTPS port 443:

    config firewall ssl-ssh-profile
        edit "ssl"
            config https
                set ports 443
                set status deep-inspection
            end
        next
    end