Fortinet black logo

Administration Guide

Configuring virtual servers on your FortiWeb

Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an actual server, but simply defines the listening network interface. Unlike a FortiGate VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.

By default, in Reverse Proxy mode, FortiWeb’s virtual servers do not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only forwards traffic picked up and allowed by the HTTP Reverse Proxy.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. For details, see Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • the traffic arrives on the network interface or bridge associated with the virtual server
  • for Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical to the web server’s IP address)

Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the web server 10.0.0.2.

However, this is not usually recommended. Unless your network’s routing configuration prevents it, it would allow clients that are aware of the web server’s IP address to bypass the FortiWeb appliance by accessing the back-end web server directly. The topology may be required in some cases, however, such as IP-based forwarding, mentioned above.

To configure a virtual server
  1. Go to Server Objects > Server > Virtual Server.
  2. Each server entry includes an Enable check box, marked by default. Clear this check box if you need to disable the server. For details, see Enabling or disabling traffic forwarding to your servers.

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Use Interface IP

    Select to use the IP address of the specified network interface as the address of the virtual server.

    This is useful for Microsoft Azure and AWS deployments where FortiWeb communicates with the Internet using a cloud-based load balancer.

    IPv4 Address

    IPv6 Address

    Enter the IP address and subnet of the virtual server.

    If the FortiWeb appliance is operating in Offline Protection mode or either of the transparent modes, because FortiWeb ignores this IP address when it determines whether or not to apply a server policy to the connection, you can specify any IP address except the address of the web server.

    Note: If a policy uses any virtual servers with IPv6 addresses, FortiWeb does not apply features in the policy that do not yet support IPv6, even if you include them in the policy.

    Interface

    Select the network interface or bridge the virtual server is bound to and where traffic destined for the virtual server arrives.

    To configure an interface or bridge, see To configure a network interface or bridge.

  6. Click OK.
  7. To define the listening port of the virtual server, create a custom service. For details, see Defining your network services.
  8. To use the virtual server, select both it and the custom service in a server policy. For details, see Configuring an HTTP server policy.
See also

Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an actual server, but simply defines the listening network interface. Unlike a FortiGate VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.

By default, in Reverse Proxy mode, FortiWeb’s virtual servers do not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only forwards traffic picked up and allowed by the HTTP Reverse Proxy.) You may be able to provide connectivity by either deploying in a one-arm topology where other protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. For details, see Topology for Reverse Proxy mode and the config router setting command in the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:

  • the traffic arrives on the network interface or bridge associated with the virtual server
  • for Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is ignored in other operation modes, except that it must not be identical to the web server’s IP address)

Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the web server 10.0.0.2.

However, this is not usually recommended. Unless your network’s routing configuration prevents it, it would allow clients that are aware of the web server’s IP address to bypass the FortiWeb appliance by accessing the back-end web server directly. The topology may be required in some cases, however, such as IP-based forwarding, mentioned above.

To configure a virtual server
  1. Go to Server Objects > Server > Virtual Server.
  2. Each server entry includes an Enable check box, marked by default. Clear this check box if you need to disable the server. For details, see Enabling or disabling traffic forwarding to your servers.

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
  5. Name Enter a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    Use Interface IP

    Select to use the IP address of the specified network interface as the address of the virtual server.

    This is useful for Microsoft Azure and AWS deployments where FortiWeb communicates with the Internet using a cloud-based load balancer.

    IPv4 Address

    IPv6 Address

    Enter the IP address and subnet of the virtual server.

    If the FortiWeb appliance is operating in Offline Protection mode or either of the transparent modes, because FortiWeb ignores this IP address when it determines whether or not to apply a server policy to the connection, you can specify any IP address except the address of the web server.

    Note: If a policy uses any virtual servers with IPv6 addresses, FortiWeb does not apply features in the policy that do not yet support IPv6, even if you include them in the policy.

    Interface

    Select the network interface or bridge the virtual server is bound to and where traffic destined for the virtual server arrives.

    To configure an interface or bridge, see To configure a network interface or bridge.

  6. Click OK.
  7. To define the listening port of the virtual server, create a custom service. For details, see Defining your network services.
  8. To use the virtual server, select both it and the custom service in a server policy. For details, see Configuring an HTTP server policy.
See also