Fortinet black logo

New Features

HTTP2 connection coalescing and concurrent multiplexing for ZTNA, virtual server load balancing, and explicit proxy 7.2.4

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:805637
Download PDF

HTTP2 connection coalescing and concurrent multiplexing for ZTNA, virtual server load balancing, and explicit proxy 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same, and the host names are compatible in the certificate. This is supported for ZTNA, virtual server load balancing, and explicit proxy.

Basic settings

To configure the ZTNA access proxy:
config firewall access-proxy
    edit <name>
        set http-supported-max-version {http1 | http2}
        set svr-pool-multiplex {enable | disable}
        set svr-pool-ttl <integer>
        set svr-pool-server-max-request <integer>
    next
end

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).

svr-pool-multiplex {enable | disable}

Enable/disable server pool multiplexing. When enabled, share the connected server in HTTP, HTTPS, and web portal API gateway.

svr-pool-ttl <integer>

Set the time-to-live in the server pool for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

svr-pool-server-max-request <integer>

Set the maximum number of requests that servers in server pool handle before disconnecting (0 - 2147483647, default = 0).

To configure the load balanced virtual server:
config firewall vip
    edit <name>
        set type server-load-balance 
        set server-type {http | https}
        set http-multiplex {enable | disable}
        set http-multiplex-ttl <integer>
        set http-multiplex-max-request <integer>
        set http-supported-max-version {http1 | http2}
    next
end

http-multiplex {enable | disable}

Enable/disable HTTP multiplexing.

http-multiplex-ttl <integer>

Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

http-multiplex-max-request <integer>

Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0).

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).
To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Examples

In the following examples, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.

ZTNA

In ZTNA scenarios, the FortiGate application gateway may accept multiple HTTP2 requests to the same ZTNA server destined to different virtual hosts on the same real server. These HTTP2 requests can share the same TLS connection between the FortiGate and the real server so that the handshake does not need to be performed multiple times for multiple connections.

Note

In order for the FortiGate to match the SNI (Server Name Indication), this SNI value must appear under the SAN extension on the server certificate. Configuring the SNI value under the CN alone will not work.

To configure connection coalescing and concurrent multiplexing with ZTNA:
  1. Configure the VIP:

    config firewall vip
        edit "vip-ztna"
            set type access-proxy
            set extip 10.1.100.223
            set extintf "port2"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the ZTNA server and path mapping:

    config firewall access-proxy
        edit "ztna"
            set vip "vip-ztna"
            set client-cert disable
            set svr-pool-multiplex enable
            set http-supported-max-version http2			
            config api-gateway
                edit 1
                    set url-map "/a"
                    set virtual-host "a.ftnt.com"
                    config realservers
                        edit 1
                            set ip 172.16.200.99
                        next
                    end
                next
                edit 2
                    set url-map "/b"
                    set virtual-host "b.ftnt.com"
                    config realservers
                        edit 1
                            set ip 172.16.200.99
                        next
                    end
                next
            end
        next
    end
  3. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 3
            set proxy access-proxy
            set access-proxy "ztna"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set utm-status enable
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
        next
    end
    
  4. Get the clients to access a.ftnt.com and b.ftnt.com. The clients share access with the same real server and certificate (CN=*.ftnt.com). The FortiGate shares the first TLS connection with second TLS connection.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one client hello.

  6. Disable server pool multiplexing:

    config firewall access-proxy
        edit "ztna"
            set vip "vip-ztna"
            set svr-pool-multiplex disable
        next
    end
  7. Verify the sniffer packet capture. This time, the FortiGate does not coalesce the TLS connection, so there are two client hellos.

Virtual server load balancing

To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
  1. Configure the virtual server:

    config firewall vip
        edit "vip-test"
            set type server-load-balance
            set extip 10.1.100.222
            set extintf "port2"
            set server-type https
            set extport 443
            config realservers
                edit 1
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex enable
            set ssl-mode full
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set action accept
            set srcaddr "all"
            set dstaddr "vip-test"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
    
  3. Get the clients to access the VIP address (10.1.100.222). The FortiGate shares the first TLS connection with second TLS connection.

  4. Verify the sniffer packet capture on the FortiGate server side. There is one client hello.

  5. Disable HTTP multiplexing:

    config firewall vip
        edit "vip-test"
            config realservers
                edit 1
                    set type ip
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex disable
        next
    end
  6. Verify the sniffer packet capture. This time, the FortiGate does reuse the TLS connection, so there are two client hellos sent to the real server.

Explicit proxy

To configure connection coalescing and concurrent multiplexing with an explicit proxy:
  1. Configure the explicit web proxy:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode serverpool
    end

    Note

    Connection coalescing and concurrent multiplexing with an explicit proxy only supports HTTP.

  2. Enable explicit web proxy on port2:

    config system interface
        edit "port2"
            set ip 10.1.100.6 255.255.255.0
            set explicit-web-proxy enable
        next
    end
    
  3. Configure the proxy policy:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-protocol-options "default-clone"
            set ssl-ssh-profile "deep-inspection-clone"
        next
    end
    
  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode static
    end
  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.

HTTP2 connection coalescing and concurrent multiplexing for ZTNA, virtual server load balancing, and explicit proxy 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same, and the host names are compatible in the certificate. This is supported for ZTNA, virtual server load balancing, and explicit proxy.

Basic settings

To configure the ZTNA access proxy:
config firewall access-proxy
    edit <name>
        set http-supported-max-version {http1 | http2}
        set svr-pool-multiplex {enable | disable}
        set svr-pool-ttl <integer>
        set svr-pool-server-max-request <integer>
    next
end

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).

svr-pool-multiplex {enable | disable}

Enable/disable server pool multiplexing. When enabled, share the connected server in HTTP, HTTPS, and web portal API gateway.

svr-pool-ttl <integer>

Set the time-to-live in the server pool for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

svr-pool-server-max-request <integer>

Set the maximum number of requests that servers in server pool handle before disconnecting (0 - 2147483647, default = 0).

To configure the load balanced virtual server:
config firewall vip
    edit <name>
        set type server-load-balance 
        set server-type {http | https}
        set http-multiplex {enable | disable}
        set http-multiplex-ttl <integer>
        set http-multiplex-max-request <integer>
        set http-supported-max-version {http1 | http2}
    next
end

http-multiplex {enable | disable}

Enable/disable HTTP multiplexing.

http-multiplex-ttl <integer>

Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

http-multiplex-max-request <integer>

Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0).

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).
To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Examples

In the following examples, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.

ZTNA

In ZTNA scenarios, the FortiGate application gateway may accept multiple HTTP2 requests to the same ZTNA server destined to different virtual hosts on the same real server. These HTTP2 requests can share the same TLS connection between the FortiGate and the real server so that the handshake does not need to be performed multiple times for multiple connections.

Note

In order for the FortiGate to match the SNI (Server Name Indication), this SNI value must appear under the SAN extension on the server certificate. Configuring the SNI value under the CN alone will not work.

To configure connection coalescing and concurrent multiplexing with ZTNA:
  1. Configure the VIP:

    config firewall vip
        edit "vip-ztna"
            set type access-proxy
            set extip 10.1.100.223
            set extintf "port2"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the ZTNA server and path mapping:

    config firewall access-proxy
        edit "ztna"
            set vip "vip-ztna"
            set client-cert disable
            set svr-pool-multiplex enable
            set http-supported-max-version http2			
            config api-gateway
                edit 1
                    set url-map "/a"
                    set virtual-host "a.ftnt.com"
                    config realservers
                        edit 1
                            set ip 172.16.200.99
                        next
                    end
                next
                edit 2
                    set url-map "/b"
                    set virtual-host "b.ftnt.com"
                    config realservers
                        edit 1
                            set ip 172.16.200.99
                        next
                    end
                next
            end
        next
    end
  3. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 3
            set proxy access-proxy
            set access-proxy "ztna"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set utm-status enable
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
        next
    end
    
  4. Get the clients to access a.ftnt.com and b.ftnt.com. The clients share access with the same real server and certificate (CN=*.ftnt.com). The FortiGate shares the first TLS connection with second TLS connection.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one client hello.

  6. Disable server pool multiplexing:

    config firewall access-proxy
        edit "ztna"
            set vip "vip-ztna"
            set svr-pool-multiplex disable
        next
    end
  7. Verify the sniffer packet capture. This time, the FortiGate does not coalesce the TLS connection, so there are two client hellos.

Virtual server load balancing

To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
  1. Configure the virtual server:

    config firewall vip
        edit "vip-test"
            set type server-load-balance
            set extip 10.1.100.222
            set extintf "port2"
            set server-type https
            set extport 443
            config realservers
                edit 1
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex enable
            set ssl-mode full
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set action accept
            set srcaddr "all"
            set dstaddr "vip-test"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
    
  3. Get the clients to access the VIP address (10.1.100.222). The FortiGate shares the first TLS connection with second TLS connection.

  4. Verify the sniffer packet capture on the FortiGate server side. There is one client hello.

  5. Disable HTTP multiplexing:

    config firewall vip
        edit "vip-test"
            config realservers
                edit 1
                    set type ip
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex disable
        next
    end
  6. Verify the sniffer packet capture. This time, the FortiGate does reuse the TLS connection, so there are two client hellos sent to the real server.

Explicit proxy

To configure connection coalescing and concurrent multiplexing with an explicit proxy:
  1. Configure the explicit web proxy:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode serverpool
    end

    Note

    Connection coalescing and concurrent multiplexing with an explicit proxy only supports HTTP.

  2. Enable explicit web proxy on port2:

    config system interface
        edit "port2"
            set ip 10.1.100.6 255.255.255.0
            set explicit-web-proxy enable
        next
    end
    
  3. Configure the proxy policy:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-protocol-options "default-clone"
            set ssl-ssh-profile "deep-inspection-clone"
        next
    end
    
  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode static
    end
  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.