Fortinet black logo

Administration Guide

Creating an AD FS server pool

Creating an AD FS server pool

When FortiWeb receives traffic destined for the virtual server, it forwards the traffic to the server pool containing the AD FS servers.

The AD FS servers require a valid client certificate to secure the connections. You need to upload the client certificate for FortiWeb, then reference this certificate in the server pool settings.

To upload a certificate

  1. Go to System > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.
  2. Click Import.
  3. Select PKCS12 Certficate for the Type option.
  4. Click Browse to locate the PKCS12 certificate file that you want to upload.
  5. Type the password that was used to encrypt the file, so that FortiWeb can decrypt and install the certificate. Skip this step if the certificate file is not encrypted with a password.
  6. Click OK.

To configure a server pool

  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category.
  3. Click Create New > Create ADFS Server Pool.
  4. Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  5. Type comments if any.
  6. Click OK to create the server pool. The AD FS server pool type is Reverse Proxy by default, and it only supports single server in the server pool.
  7. Click Create New to create a server pool rule.
  8. Configure these settings:
    ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the pool member.

    If you select Domain, ensure you have configured a DNS server so that FortiWeb can query and resolve the domain name to an IP address.

    ADFS Domain (IP) Even if you have selected IP for Server Type, the AD FS server's domain name is still required, because the AD FS server will validate the domain name when FortiWeb sets up HTTPS connections with it.
    IP (IP) If you have selected IP for Server Type, type the AD FS server's IP.
    Domain (Domain) If you have selected Domain for Server Type, type the AD FS server's domain name. FortiWeb will query the DNS server and resolve the domain name to an IP address.
    Port Type the TCP port number where the pool member listens for connections from FortiWeb.

    The default port number used is 443.

    The port number may vary. Check the ones used by your AD FS servers and enter the number here.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Username for Registration Type the username that will be used by FortiWeb to connect with the AD FS server. You should include the domain to which FortiWeb and the AD FS server belong. For example, damain1\administrator.
    Password for Registration Type the password that will be used by FortiWeb to connect with the AD FS server.
    Client Certificate

    Select the client certificate that you have uploaded in the previous steps. It is used to secure the connections between FortiWeb and the AD FS server.

  9. Configure SSL settings if necessary.
    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to this pool member.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.


  10. Configure advanced settings if necessary.
    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  11. Click OK.

Creating an AD FS server pool

When FortiWeb receives traffic destined for the virtual server, it forwards the traffic to the server pool containing the AD FS servers.

The AD FS servers require a valid client certificate to secure the connections. You need to upload the client certificate for FortiWeb, then reference this certificate in the server pool settings.

To upload a certificate

  1. Go to System > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.
  2. Click Import.
  3. Select PKCS12 Certficate for the Type option.
  4. Click Browse to locate the PKCS12 certificate file that you want to upload.
  5. Type the password that was used to encrypt the file, so that FortiWeb can decrypt and install the certificate. Skip this step if the certificate file is not encrypted with a password.
  6. Click OK.

To configure a server pool

  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category.
  3. Click Create New > Create ADFS Server Pool.
  4. Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  5. Type comments if any.
  6. Click OK to create the server pool. The AD FS server pool type is Reverse Proxy by default, and it only supports single server in the server pool.
  7. Click Create New to create a server pool rule.
  8. Configure these settings:
    ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the pool member.

    If you select Domain, ensure you have configured a DNS server so that FortiWeb can query and resolve the domain name to an IP address.

    ADFS Domain (IP) Even if you have selected IP for Server Type, the AD FS server's domain name is still required, because the AD FS server will validate the domain name when FortiWeb sets up HTTPS connections with it.
    IP (IP) If you have selected IP for Server Type, type the AD FS server's IP.
    Domain (Domain) If you have selected Domain for Server Type, type the AD FS server's domain name. FortiWeb will query the DNS server and resolve the domain name to an IP address.
    Port Type the TCP port number where the pool member listens for connections from FortiWeb.

    The default port number used is 443.

    The port number may vary. Check the ones used by your AD FS servers and enter the number here.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Username for Registration Type the username that will be used by FortiWeb to connect with the AD FS server. You should include the domain to which FortiWeb and the AD FS server belong. For example, damain1\administrator.
    Password for Registration Type the password that will be used by FortiWeb to connect with the AD FS server.
    Client Certificate

    Select the client certificate that you have uploaded in the previous steps. It is used to secure the connections between FortiWeb and the AD FS server.

  9. Configure SSL settings if necessary.
    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to this pool member.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (https://docs.fortinet.com/fortiweb/admin-guides).

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.


  10. Configure advanced settings if necessary.
    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  11. Click OK.