Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide

HTTP connection coalescing and concurrent multiplexing for explicit proxy

7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID a36d7fdc-c11e-11ee-8c42-fa163e15d75b:760822
Download PDF

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing allows multiple HTTP requests to share the same TCP three-way handshake when the destination IP is the same.

To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Example

In this example, multiple clients submit requests in HTTP. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with an explicit proxy:

  1. Configure the explicit web proxy:

    config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set http-connection-mode serverpool
end

  2. Enable explicit web proxy on port2:

    config system interface
    edit "port2"
        set ip 10.1.100.6 255.255.255.0
        set explicit-web-proxy enable
    next
end

  3. Configure the proxy policy:

    config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set utm-status enable
        set profile-protocol-options "default-clone"
        set ssl-ssh-profile "deep-inspection-clone"
    next
end

  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set http-connection-mode static
end

  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.

Previous
Next

HTTP connection coalescing and concurrent multiplexing for explicit proxy

HTTP connection coalescing and concurrent multiplexing allows multiple HTTP requests to share the same TCP three-way handshake when the destination IP is the same.

To configure the explicit web proxy:
config web-proxy explicit
    set http-connection-mode {static | multiplex | serverpool}
end

http-connection-mode {static | multiplex | serverpool}

Set the HTTP connection mode:

  • static: only one server connection exists during the proxy session (default).
  • multiplex: hold established connections until the proxy session ends.
  • serverpool: share established connections with other proxy sessions.

Example

In this example, multiple clients submit requests in HTTP. The requests hit the VIP address, and then FortiGate opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with an explicit proxy:

  1. Configure the explicit web proxy:

    config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set http-connection-mode serverpool
end

  2. Enable explicit web proxy on port2:

    config system interface
    edit "port2"
        set ip 10.1.100.6 255.255.255.0
        set explicit-web-proxy enable
    next
end

  3. Configure the proxy policy:

    config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set utm-status enable
        set profile-protocol-options "default-clone"
        set ssl-ssh-profile "deep-inspection-clone"
    next
end

  4. Get the clients to access the server through the explicit web proxy (10.1.100.6:8080). The FortiGate shares the first connection TCP three-way handshake with later connections that connect to same destination address.

  5. Verify the sniffer packet capture on the FortiGate server side. There is one TCP three-way handshake, but there are two HTTP connections.

  6. Change the HTTP connection mode to static:

    config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set http-connection-mode static
end

  7. Verify the sniffer packet capture. This time, the FortiGate establishes a TCP connection for each client.

Previous
Next