Fortinet black logo

Handbook

Home FortiADC 7.4.1 Handbook
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Server Load Balance

Server Load Balance

The Server Load Balance menu contain features and configurations that allow you to server load balance.

This section is organized into the following sub-menu topics:

Server load balancing basics

An application delivery controller (ADC) is like an advanced server load balancer. An ADC routes traffic to available destination servers based on health checks and load-balancing algorithms. ADCs improve application availability and performance, which directly improves user experience.

The physical distance between clients and the servers in your backend server farm has a significant impact on server response times. Besides physical distance, the most important factors contributing to server performance are:

  • Number of simultaneous connections and requests that the servers can handle
  • Load distribution among the servers

The purpose of an ADC is to give you multiple methods for optimizing server response times and server capacity.

After you have deployed an ADC, traffic is routed to the ADC virtual server instead of the destination real servers.

Basic network topology shows an example of a basic load balancing deployment. The FortiADC appliance is deployed in front of a server farm, and the network interfaces are connected to three subnets: a subnet for management traffic; a subnet that hosts real servers A, B, and C; and a different subnet that hosts real servers D, E, and F. The FortiADC system performs health checks on the real servers and distributes traffic to them based on system logic and user-defined settings.

Basic network topology

Optionally, you can further improve application security and performance by offloading system processes from the server and having them handled transparently by the ADC. Server tasks that can be handled by the FortiADC appliance include SSL encryption/decryption, WAF protection, Gzip compression, and routing processes, such as NAT.

FortiADC processing shows the order in which the FortiADC features process client-to-server and server-to-client traffic.

FortiADC processing

In the client-to-server direction:

  • If SNI or SSL decryption is applicable, the system acts on those exchanges.
  • Then, security module rules filter traffic, and traffic not dropped continues to the virtual server module.
  • Virtual server security features are applied. Traffic not dropped continues for further processing.
  • If a caching rule applies, the FortiADC cache serves the content and the request is not forwarded to a backend server.
  • If the system selects a destination server based on a persistence rule, content route, or script, the load balancing rules are not applied.
  • After selecting a server, the system performs any rewriting and re-encryption actions that are applicable, and then forwards the packets to the server.

In the server-to-client direction:

  • WAF HTTP response, NAT, rewriting, persistence, and caching rules are applied.
  • If applicable, the FortiADC compresses and encrypts the server response traffic.

Server load balancing configuration overview

The configuration object framework supports the granularity of FortiADC application delivery control rules. You can configure specific options and rules for one particular type of traffic, and different options and rules for another type.

Server load balancing configuration steps shows the configuration objects used in the server load balancing configuration and the order in which you create them.

Basic steps
  1. Configure health check rules and real server SSL profiles.

    2. This step is optional. In many cases, you can use predefined health check rules and predefined real server SSL profiles. If you want to use custom rules, configure them before you configure the pools of real servers.

  2. Configure server pools.

    3. This step is required. Server pools are the backend servers you want to load balance and specify the health checks used to determine server availability.

  3. Configure persistence rules, optional features and policies, profile components, and load balancing methods.

    4. You can skip this step if you want to select from predefined persistence rules, profiles, and methods.

  4. Configure the virtual server.

    5. When you configure a virtual server, you select from predefined and custom configuration objects.

Example workflow

For a members-only HTTPS web server farm, you might have a workflow similar to the following:

  1. Configure security module firewall rules that allow only HTTPS traffic from untrusted subnets to the virtual server.
  2. Import server SSL certificates, configure a local certificate group, and a certificate verification policy.
  3. Configure HTTPS health checks to test the availability of the web servers.
  4. Configure the server pools, referencing the health check configuration object.
  5. Configure authentication:
  • Create a RADIUS or LDAP server configuration.
  • Create user groups.
  • Create an authentication policy.
  • Configure an HTTPS profile, referencing the certificate group and certificate verification policy and setting SSL version and cipher requirements.
  • Configure an application profile and client SSL profile if needed.
  • Configure the virtual server, using a combination of predefined and user-defined configuration objects:
    • Predefined: WAF policy, Persistence, Method
    • User-defined: Authentication Policy, Profile

    Server load balancing configuration steps

    Previous
    Next

    Server Load Balance

    The Server Load Balance menu contain features and configurations that allow you to server load balance.

    This section is organized into the following sub-menu topics:

    Server load balancing basics

    An application delivery controller (ADC) is like an advanced server load balancer. An ADC routes traffic to available destination servers based on health checks and load-balancing algorithms. ADCs improve application availability and performance, which directly improves user experience.

    The physical distance between clients and the servers in your backend server farm has a significant impact on server response times. Besides physical distance, the most important factors contributing to server performance are:

    • Number of simultaneous connections and requests that the servers can handle
    • Load distribution among the servers

    The purpose of an ADC is to give you multiple methods for optimizing server response times and server capacity.

    After you have deployed an ADC, traffic is routed to the ADC virtual server instead of the destination real servers.

    Basic network topology shows an example of a basic load balancing deployment. The FortiADC appliance is deployed in front of a server farm, and the network interfaces are connected to three subnets: a subnet for management traffic; a subnet that hosts real servers A, B, and C; and a different subnet that hosts real servers D, E, and F. The FortiADC system performs health checks on the real servers and distributes traffic to them based on system logic and user-defined settings.

    Basic network topology

    Optionally, you can further improve application security and performance by offloading system processes from the server and having them handled transparently by the ADC. Server tasks that can be handled by the FortiADC appliance include SSL encryption/decryption, WAF protection, Gzip compression, and routing processes, such as NAT.

    FortiADC processing shows the order in which the FortiADC features process client-to-server and server-to-client traffic.

    FortiADC processing

    In the client-to-server direction:

    • If SNI or SSL decryption is applicable, the system acts on those exchanges.
    • Then, security module rules filter traffic, and traffic not dropped continues to the virtual server module.
    • Virtual server security features are applied. Traffic not dropped continues for further processing.
    • If a caching rule applies, the FortiADC cache serves the content and the request is not forwarded to a backend server.
    • If the system selects a destination server based on a persistence rule, content route, or script, the load balancing rules are not applied.
    • After selecting a server, the system performs any rewriting and re-encryption actions that are applicable, and then forwards the packets to the server.

    In the server-to-client direction:

    • WAF HTTP response, NAT, rewriting, persistence, and caching rules are applied.
    • If applicable, the FortiADC compresses and encrypts the server response traffic.

    Server load balancing configuration overview

    The configuration object framework supports the granularity of FortiADC application delivery control rules. You can configure specific options and rules for one particular type of traffic, and different options and rules for another type.

    Server load balancing configuration steps shows the configuration objects used in the server load balancing configuration and the order in which you create them.

    Basic steps
    1. Configure health check rules and real server SSL profiles.

      2. This step is optional. In many cases, you can use predefined health check rules and predefined real server SSL profiles. If you want to use custom rules, configure them before you configure the pools of real servers.

    2. Configure server pools.

      3. This step is required. Server pools are the backend servers you want to load balance and specify the health checks used to determine server availability.

    3. Configure persistence rules, optional features and policies, profile components, and load balancing methods.

      4. You can skip this step if you want to select from predefined persistence rules, profiles, and methods.

    4. Configure the virtual server.

      5. When you configure a virtual server, you select from predefined and custom configuration objects.

    Example workflow

    For a members-only HTTPS web server farm, you might have a workflow similar to the following:

    1. Configure security module firewall rules that allow only HTTPS traffic from untrusted subnets to the virtual server.
    2. Import server SSL certificates, configure a local certificate group, and a certificate verification policy.
    3. Configure HTTPS health checks to test the availability of the web servers.
    4. Configure the server pools, referencing the health check configuration object.
    5. Configure authentication:
    • Create a RADIUS or LDAP server configuration.
    • Create user groups.
    • Create an authentication policy.
  • Configure an HTTPS profile, referencing the certificate group and certificate verification policy and setting SSL version and cipher requirements.
  • Configure an application profile and client SSL profile if needed.
  • Configure the virtual server, using a combination of predefined and user-defined configuration objects:
    • Predefined: WAF policy, Persistence, Method
    • User-defined: Authentication Policy, Profile

    Server load balancing configuration steps

    Previous
    Next