WAN optimization SSL proxy chaining
An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration). The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.
Examples
In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between, and when the GCM or ChaCha ciphers are used.
Example 1
In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without configuring an SSL server.
HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.
To configure FGT_A:
-
Configure the hard disk to perform WANOpt:
config system storage edit "HDD2" set status enable set usage wanopt set wanopt-mode mix next end -
Configure the WANOpt peer and profile:
config wanopt peer edit "FGT-D" set ip 120.120.120.172 next endconfig wanopt profile edit "test" config http set status enable set ssl enable end next end -
Create an SSL profile with deep inspection on HTTPS port 443:
config firewall ssl-ssh-profile edit "ssl" config https set ports 443 set status deep-inspection end next end