Fortinet black logo

Administration Guide

Creating an ADFS server pool

Creating an ADFS server pool

When FortiWeb receives traffic destined for the virtual server, it forwards the traffic to the server pool containing the ADFS servers.

The ADFS servers require a valid client certificate to secure the connections. You need to upload the client certificate for FortiWeb, then reference this certificate in the server pool settings.

To upload a certificate

  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.
  2. Click Import.
  3. Select PKCS12 Certficate for the Type option.
  4. Click Browse to locate the PKCS12 certificate file that you want to upload.
  5. Type the password that was used to encrypt the file, so that FortiWeb can decrypt and install the certificate. Skip this step if the certificate file is not encrypted with a password.
  6. Click OK.

To configure a server pool

  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category.
  3. Click Create New > Create ADFS Server Pool.
  4. Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  5. Type a name for the ADFS Server. It should be the federation service name. This option is mandatory if the ADFS Server needs to verify the server name in the SSL handshake.
  6. Select Single Server or Server Balance. In Server Balance mode, you can add multiple servers in server pool. The load balancing rule for the ADFS server is Source IP Hash. It distributes new TCP connections using a hash algorithm based on the source IP address of the request.
  7. If you have selected Server Balance, specify a Server Health Check rule to test server availability. By default, this health check is used for all pool members, but you can use the pool member configuration to assign a different health check to a member. For details, see Configuring server up/down checks.
  8. Type comments if any.
  9. Click OK to create the server pool. The ADFS server pool type is Reverse Proxy by default, and it only supports single server in the server pool.
  10. Click Create New to create a server pool rule.
  11. Configure these settings:
    ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the pool member.

    If you select Domain, ensure you have configured a DNS server so that FortiWeb can query and resolve the domain name to an IP address.

    IP If you have selected IP for Server Type, type the ADFS server's IP.
    DomainIf you have selected Domain for Server Type, type the ADFS server's domain name. FortiWeb will query the DNS server and resolve the domain name to an IP address.
    PortType the TCP port number where the pool member listens for connections from FortiWeb.

    The default port number used is 443.

    The port number may vary. Check the ones used by your ADFS servers and enter the number here.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Inherit Health Check

    Disable to use the health check specified by Server Health Check in this server pool rule instead of the one specified in the server pool configuration.

    Available only if Server Balance is selected.

    Health Check Domain Name

    Enter an HTTP host header name to test the availability of a specific host.

    This is useful if the pool member hosts multiple websites (virtual hosting environment).
    Available only if Server Balance is selected.

    Backup Server

    When this option is selected and all the members of the server pool fail their server health check, FortiWeb routes any connections for the pool to this server.

    The backup server mechanism does not work if you do not specify server health checks for the pool members.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.

    Available only if Server Balance is selected.

    Username for Registration

    Type the username that will be used by FortiWeb to connect with the ADFS server. The credentials can be either of the following:

    • The internal/corporate domain credentials for an account that is member of the local Administrators group on the internal ADFS servers (does not have to be the ADFS service account)
    • The internal/corporate domain ADFS service account credentials, as used during the ADFS configuration.

    You should include the domain to which FortiWeb and the ADFS server belong. For example, domain1\administrator.

    Password for RegistrationType the password for the username entered above.
    Client Certificate

    Select the client certificate that you have uploaded in the previous steps. It is used to secure the connections between FortiWeb and the ADFS server.

  12. Configure SSL settings if necessary.
    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to this pool member.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (HTTPs://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (HTTPs://docs.fortinet.com/fortiweb/admin-guides).

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.


  13. Configure advanced settings if necessary.
    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  14. Click OK.

Creating an ADFS server pool

When FortiWeb receives traffic destined for the virtual server, it forwards the traffic to the server pool containing the ADFS servers.

The ADFS servers require a valid client certificate to secure the connections. You need to upload the client certificate for FortiWeb, then reference this certificate in the server pool settings.

To upload a certificate

  1. Go to Server Objects > Certificates > Local.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category.
  2. Click Import.
  3. Select PKCS12 Certficate for the Type option.
  4. Click Browse to locate the PKCS12 certificate file that you want to upload.
  5. Type the password that was used to encrypt the file, so that FortiWeb can decrypt and install the certificate. Skip this step if the certificate file is not encrypted with a password.
  6. Click OK.

To configure a server pool

  1. Go to System > Config > Feature Visibility, then enable ADFS Policy. Skip this step if it is already enabled.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the System Configuration category.
  2. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category.
  3. Click Create New > Create ADFS Server Pool.
  4. Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
  5. Type a name for the ADFS Server. It should be the federation service name. This option is mandatory if the ADFS Server needs to verify the server name in the SSL handshake.
  6. Select Single Server or Server Balance. In Server Balance mode, you can add multiple servers in server pool. The load balancing rule for the ADFS server is Source IP Hash. It distributes new TCP connections using a hash algorithm based on the source IP address of the request.
  7. If you have selected Server Balance, specify a Server Health Check rule to test server availability. By default, this health check is used for all pool members, but you can use the pool member configuration to assign a different health check to a member. For details, see Configuring server up/down checks.
  8. Type comments if any.
  9. Click OK to create the server pool. The ADFS server pool type is Reverse Proxy by default, and it only supports single server in the server pool.
  10. Click Create New to create a server pool rule.
  11. Configure these settings:
    ID

    The index number of the member entry within the server pool.

    FortiWeb automatically assigns the next available index number.

    Status
    • Enable—Specifies that this pool member can receive new sessions from FortiWeb.
    • Disable—Specifies that this pool member does not receive new sessions from FortiWeb and FortiWeb closes any current sessions as soon as possible.
    • Maintenance—Specifies that this pool member does not receive new sessions from FortiWeb but FortiWeb maintains any current connections.
    Server Type

    Select either IP or Domain to indicate how you want to define the pool member.

    If you select Domain, ensure you have configured a DNS server so that FortiWeb can query and resolve the domain name to an IP address.

    IP If you have selected IP for Server Type, type the ADFS server's IP.
    DomainIf you have selected Domain for Server Type, type the ADFS server's domain name. FortiWeb will query the DNS server and resolve the domain name to an IP address.
    PortType the TCP port number where the pool member listens for connections from FortiWeb.

    The default port number used is 443.

    The port number may vary. Check the ones used by your ADFS servers and enter the number here.
    Connection Limit

    Specifies the maximum number of TCP connections that FortiWeb forwards to this pool member.

    The default is 0 (disabled).

    The valid range is from 0 to 1,048,576.

    Inherit Health Check

    Disable to use the health check specified by Server Health Check in this server pool rule instead of the one specified in the server pool configuration.

    Available only if Server Balance is selected.

    Health Check Domain Name

    Enter an HTTP host header name to test the availability of a specific host.

    This is useful if the pool member hosts multiple websites (virtual hosting environment).
    Available only if Server Balance is selected.

    Backup Server

    When this option is selected and all the members of the server pool fail their server health check, FortiWeb routes any connections for the pool to this server.

    The backup server mechanism does not work if you do not specify server health checks for the pool members.

    If you select this option for more than one pool member, FortiWeb uses the load balancing algorithm to determine which member to use.

    Available only if Server Balance is selected.

    Username for Registration

    Type the username that will be used by FortiWeb to connect with the ADFS server. The credentials can be either of the following:

    • The internal/corporate domain credentials for an account that is member of the local Administrators group on the internal ADFS servers (does not have to be the ADFS service account)
    • The internal/corporate domain ADFS service account credentials, as used during the ADFS configuration.

    You should include the domain to which FortiWeb and the ADFS server belong. For example, domain1\administrator.

    Password for RegistrationType the password for the username entered above.
    Client Certificate

    Select the client certificate that you have uploaded in the previous steps. It is used to secure the connections between FortiWeb and the ADFS server.

  12. Configure SSL settings if necessary.
    Supported SSL Protocols

    Specify which versions of the SSL or TLS cryptographic protocols clients can use to connect securely to this pool member.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (HTTPs://docs.fortinet.com/fortiweb/admin-guides).

    SSL/TLS Encryption Level

    Specify whether the set of cipher suites that FortiWeb allows creates a medium-security, high-security, or custom configuration.

    For details, see "Supported cipher suites & protocol versions" in FortiWeb Administration Guide (HTTPs://docs.fortinet.com/fortiweb/admin-guides).

    Session Ticket Reuse

    Enable so that FortiWeb reuses the session ticket when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ticket for the specified pserver.

    Session ID Reuse

    Enable so that FortiWeb reuses the session ID when establishing an SSL connection to a pserver. If the SSL connection has a server name, FortiWeb can only reuse a session ID for the specified pserver. If both a session ticket and ID exist for a pserver, FortiWeb will reuse the ticket.


  13. Configure advanced settings if necessary.
    Recover

    Specifies the number of seconds that FortiWeb waits before it forwards traffic to this pool member after a health check indicates that this server is available again.

    The default is 0 (disabled). The valid range is 0 to 86,400 seconds.

    After the recovery period elapses, FortiWeb assigns connections at the rate specified by Warm Rate.

    Examples of when the server experiences a recovery and warm-up period:

    • A server is coming back online after the health check monitor detected it was down.
    • A network service is brought up before other daemons have finished initializing and therefore the server is using more CPU and memory resources than when startup is complete.

    To avoid connection problems, specify the separate warm-up rate, recovery rate, or both.

    Tip: During scheduled maintenance, you can also manually apply these limits by setting Status to Maintenance.

    Warm Up

    Specifies for how long FortiWeb forwards traffic at a reduced rate after a health check indicates that this pool member is available again but it cannot yet handle a full connection load.

    For example, when the pool member begins to respond but startup is not fully complete.

    The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

    Warm Rate

    Specifies the maximum connection rate while the pool member is starting up.

    The default is 10 connections per second. The valid range is 0 to 86,400 connections per second.

    The warm up calibration is useful with servers that bring up the network service before other daemons are initialized. As these types of servers come online, CPU and memory are more utilized than they are during normal operation. For these servers, you define separate rates based on warm-up and recovery behavior.

    For example, if Warm Up is 5 and Warm Rate is 2, the maximum number of new connections increases at the following rate:

    • 1st second—Total of 2 new connections allowed (0+2).
    • 2nd second—2 new connections added for a total of 4 new connections allowed (2+2).
    • 3rd second—2 new connections added for a total of 6 new connections allowed (4+2).
    • 4th second—2 new connections added for a total of 8 new connections allowed (6+2).
    • 5th second—2 new connections added for a total of 10 new connections allowed (8+2).
  14. Click OK.