Fortinet white logo
Fortinet white logo

Administration Guide

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing allows multiple HTTP requests to share the same TCP three-way handshake when the destination IP is the same.

To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Example

In this example, multiple clients submit requests in HTTP. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with an explicit proxy:
  1. Configure the explicit web proxy:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode serverpool
    end
  2. Enable explicit web proxy on port2:

    config system interface
        edit "port2"
            set ip 10.1.100.6 255.255.255.0
            set explicit-web-proxy enable
        next
    end
    
  3. Configure the proxy policy:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-protocol-options "default-clone"
            set ssl-ssh-profile "deep-inspection-clone"
        next
    end
    
  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode static
    end
  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing allows multiple HTTP requests to share the same TCP three-way handshake when the destination IP is the same.

To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Example

In this example, multiple clients submit requests in HTTP. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with an explicit proxy:
  1. Configure the explicit web proxy:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode serverpool
    end
  2. Enable explicit web proxy on port2:

    config system interface
        edit "port2"
            set ip 10.1.100.6 255.255.255.0
            set explicit-web-proxy enable
        next
    end
    
  3. Configure the proxy policy:

    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set profile-protocol-options "default-clone"
            set ssl-ssh-profile "deep-inspection-clone"
        next
    end
    
  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
        set http-connection-mode static
    end
  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.