Fortinet black logo

Administration Guide

Protected web servers vs. allowed/protected host names

Protected web servers vs. allowed/protected host names

If you have virtual hosts on your web server, multiple websites with different domain names (for example, example.com, example.co.uk, example.ru, example.edu) can coexist on the same physical computer with a single web server daemon. The computer can have a single IP address, with multiple DNS names resolving to its IP address, or the computer can have multiple IP addresses and multiple NICs, with different sets of domain names resolving to separate NICs.

Just as there can be multiple host names per web server, there can also be the inverse: multiple web servers per host name. (For example, for distributed computing clusters and server farms.)

When configuring FortiWeb, a web server is a single IP at the network layer, but a protected host group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the HTTP layer.

For example, clients often access a web server via a public network such as the Internet. Therefore, the protected host group contains public domain names, IP addresses and virtual IPs on a network edge router or firewall, such as:

  • www.example.com and
  • www.example.co.uk and
  • example.de

But the physical or domain server is only the IP address or domain name that the FortiWeb appliance uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance is operating in Offline Protection or either of the transparent modes):

  • 192.168.1.10 or
  • example.local

Protected web servers vs. allowed/protected host names

If you have virtual hosts on your web server, multiple websites with different domain names (for example, example.com, example.co.uk, example.ru, example.edu) can coexist on the same physical computer with a single web server daemon. The computer can have a single IP address, with multiple DNS names resolving to its IP address, or the computer can have multiple IP addresses and multiple NICs, with different sets of domain names resolving to separate NICs.

Just as there can be multiple host names per web server, there can also be the inverse: multiple web servers per host name. (For example, for distributed computing clusters and server farms.)

When configuring FortiWeb, a web server is a single IP at the network layer, but a protected host group should contain all network IPs, virtual IPs, and domain names that clients use to access the web server at the HTTP layer.

For example, clients often access a web server via a public network such as the Internet. Therefore, the protected host group contains public domain names, IP addresses and virtual IPs on a network edge router or firewall, such as:

  • www.example.com and
  • www.example.co.uk and
  • example.de

But the physical or domain server is only the IP address or domain name that the FortiWeb appliance uses to forward traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance is operating in Offline Protection or either of the transparent modes):

  • 192.168.1.10 or
  • example.local