HTTP connection coalescing and concurrent multiplexing for explicit proxy NEW
HTTP connection coalescing and concurrent multiplexing allows multiple HTTP requests to share the same TCP three-way handshake when the destination IP is the same.
To configure the explicit web proxy:
config web-proxy explicit set http-connection-mode {static | multiplex | serverpool} end
http-connection-mode {static | multiplex | serverpool} |
Set the HTTP connection mode:
|
Example
In this example, multiple clients submit requests in HTTP. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same session to connect to the same destination server.
To configure connection coalescing and concurrent multiplexing with an explicit proxy:
-
Configure the explicit web proxy:
config web-proxy explicit set status enable set http-incoming-port 8080 set http-connection-mode serverpool end
-
Enable explicit web proxy on port2:
config system interface edit "port2" set ip 10.1.100.6 255.255.255.0 set explicit-web-proxy enable next end
-
Configure the proxy policy:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port3" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set profile-protocol-options "default-clone" set ssl-ssh-profile "deep-inspection-clone" next end
-
Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.
-
Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.
-
Change the HTTP connection mode to static:
config web-proxy explicit set status enable set http-incoming-port 8080 set http-connection-mode static end
-
Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.