Ssl Offloading And Reverse Proxy Web Caching For An Internet Web Server - Fortinet Gate 60D Administration Manual

WAN optimization and web caching

SSL offloading and reverse proxy web caching for an internet web server

FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
Peer Host ID
IP Address
3 Select OK to save the peer.
4 Go to WAN Opt. & Cache > Peer > Authentication Group and select Create New to add
an authentication group named SSL_auth_grp to the server side FortiGate unit.
The authentication group includes a pre-shared key and the peer added to the server
side FortiGate unit in step 2.
Name
Authentication Method Pre-shared key
Password
Peer Acceptance
5 Go to System > Certificates > Local Certificates and select Import to import the web
server's CA. Set the name of the local certificate to Web_Server_Cert_1.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
6 Enter the following command to add the SSL server to the server side FortiGate unit.
config wanopt ssl-server
edit example_server
set ip 192.168.10.20
set port 443
set ssl-cert Web_Server_Cert_1
end
Configure other ssl-server settings as required for your configuration.
This example shows how to configure SSL offloading for a reverse proxy web cache only
WAN optimization configuration. In this configuration, clients on the Internet use HTTPS to
browse to a web server. The FortiGate unit intercepts the HTTPS traffic and a web cache
only WAN optimization rule with SSL offloading enabled decrypts the traffic before
sending it to the web server. The FortiGate unit also caches pages from the web server.
Replies from the web server are encrypted by the FortiGate unit before returning to the
web browsing clients.
The web cache only rule enables transparent mode because the FortiGate unit is
performing NAT between the Internet and the HTTP server and the web server network is
not configured to route Internet traffic between the FortiGate unit and the web server.
In this configuration the FortiGate unit is operating in reverse proxy mode. Reverse proxy
caches can be placed directly in front of a particular server. Web caching on the FortiGate
unit reduces the number of requests that the web server must handle therefore leaving it
free to process new requests that it has not serviced before.
Some benefits of a reverse proxy configuration:
• Avoid the capital expense of purchasing additional web servers by instead increasing
the capacity of existing servers.
• Serve more requests for static content from web servers.
• Serve more requests for dynamic content from web servers.
• Reducing operating expenses including the cost of bandwidth required to serve
content.
SSL offloading for WAN optimization and web caching
User_net
172.20.120.1
SSL_auth_grp
<pre-shared_key>
Specify Peer: User_net
627