EasyManua.ls Logo

Fortinet Gate 60D - Page 628

Fortinet Gate 60D
706 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
SSL offloading for WAN optimization and web caching WAN optimization and web caching
FortiGate Version 4.0 Administration Guide
628 01-400-89802-20090424
http://docs.fortinet.com/Feedback
Accelerate the response time of web server and accelerate page download times to
end users, delivering a faster and better experience to site visitors.
When planning a reverse proxy implementation the web server's content should be written
so that it is “cache aware” to take full advantage of the reverse proxy cache.
In Reverse Proxy mode, the FortiGate unit functions more like a web server with respect
to the clients it services. Unlike internal clients, external clients are not reconfigured to
access the proxy server. Instead, the site URL routes the client to the FortiGate unit as if it
were a web server. Replicated content is delivered from the proxy cache to the external
client without exposing the web server or the private network residing safely behind the
firewall.
In this example, the site URL translates to IP address 192.168.10.1 which is the port2 IP
address of the FortiGate unit. The port2 interface is connected to the Internet. You could
also use a different IP address and route traffic for this IP address to the FortiGate unit
port2 interface.
This example also includes two web cache only rules. One that accepts the HTTP traffic
for web caching and one that accepts the HTTPS traffic for SSL offloading and web
caching. You could also add only one rule for both the HTTP and HTTPS traffic.
This example assumes all HTTP traffic uses port 80 and all HTTPS traffic using port 443.
The FortiGate unit includes the web server CA and an SSL server configuration for IP
address 172.10.20.30 and port to 443.
Figure 422: SSL offloading for web caching
To configure the FortiGate unit as a reverse proxy web cache server
1 Go to Firewall > Virtual IP and select Create New to add a virtual IP that translates the
destination IP address from 192.168.10.1 to 172.10.20.30.
Name Reverse_proxy_VIP
External Interface port2
Type Static NAT
External IP Address/Range 192.168.10.1
Mapped IP Address/Range port1
Destination Address 172.10.20.30
Internet
port2
IP address
192.168.10.1
port1
IP address
172.10.20.2
HTTP
Web Server
(port 80)
IP address: 172.10.20.30
Web Cache
Only rule that
includes SSL offloading
Encrypted
Traffic
Decrypted
Traffic
3 1
2
3 1
2

Table of Contents