Creating an ADFS server pool
When FortiWeb receives traffic destined for the virtual server, it forwards the traffic to the server pool containing the ADFS servers.
The ADFS servers require a valid client certificate to secure the connections. You need to upload the client certificate for FortiWeb, then reference this certificate in the server pool settings.
To upload a certificate
- Go to Server Objects > Certificates > Local.
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. - Click Import.
- Select PKCS12 Certficate for the Type option.
- Click Browse to locate the PKCS12 certificate file that you want to upload.
- Type the password that was used to encrypt the file, so that FortiWeb can decrypt and install the certificate. Skip this step if the certificate file is not encrypted with a password.
- Click OK.
To configure a server pool
- Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category. - Go to Server Objects > Server > Server Pool.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. - Click Create New > Create ADFS Server Pool.
- Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
- Type a name for the ADFS Server. It should be the federation service name. This option is mandatory if the ADFS Server needs to verify the server name in the SSL handshake.
- Select Single Server or Server Balance. In Server Balance mode, you can add multiple servers in server pool. The load balancing rule for the ADFS server is Source IP Hash. It distributes new TCP connections using a hash algorithm based on the source IP address of the request.
- If you have selected Server Balance, specify a Server Health Check rule to test server availability. By default, this health check is used for all pool members, but you can use the pool member configuration to assign a different health check to a member. For details, see Configuring server up/down checks.
- Type comments if any.
- Click OK to create the server pool. The ADFS server pool type is Reverse Proxy by default, and it only supports single server in the server pool.
- Click Create New to create a server pool rule.
- Configure these settings:
- Configure SSL settings if necessary.
Supported SSL Protocols Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to this pool member.
For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
SSL/TLS Encryption Level Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.
For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).
Session Ticket Reuse
Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.
Session ID Reuse
Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.
- Configure advanced settings if necessary.
Recover Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.
The default is
0
(disabled). The valid range is 0 to 86,400 seconds.After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.
Examples of when the server experiences a recovery and warm-up period:
- A server is coming back online after the health check monitor detected it was down.
- A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.
To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.
Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.
Warm Up Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.
For example, when the pool member begins to respond but startup is not fully complete.
The default is
0
(disabled). The valid range is 1 to 86,400 seconds.Warm Rate Specifies the maximum connection rate while the pool member is starting up.
The default is
10
connections per second. The valid range is 0 to 86,400 connections per second.The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.
For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:
- 1st second—Total of 2 new connections allowed (0+2).
- 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
- 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
- 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
- 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
- Click OK.