Table of Contents
Advertisement
Working with Clusters and Match Rules
HTTPS Header Injection
When a connection is established by a client for an HTTPS cluster, Equalizer performs the SSL
processing on the request (this is called SSL off loading), and adds some additional headers to the
client's request before forwarding the request on to a server:
X-LoadBalancer: Equalizer
X-Forwarded-For: (client's IP address)
If the client provides an SSL certificate, the following are also added:
X-SSL-Subject: (certificate's X509 subject)
X-SSL-Issuer: (certificate's X509 issuer)
X-SSL-notBefore: (certificate not valid before info)
X-SSL-notAfter: (certificate not valid after info)
X-SSL-serial: (certs serial number)
X-SSL-cipher: (cipher spec)
If these headers are present in a request received by a server, then the server knows that the
request was originally an HTTPS request and was processed by Equalizer before being forwarded
to the server.
These headers are inserted into every request if the once only flag is disabled; if once only is
enabled, then only the first request in a connection will have these headers inserted.
Some application may require a special header in the request, and the following section describes
how Equalizer can be configured to provide a custom HTTPS header for such applications.
Providing FTP Services on a Virtual Cluster
The FTP protocol dates from the 1970s, and was designed to be used in an environment where:
the network topology is simple
l
the FTP server and client communicate directly with one another
l
the addresses used by the client and server for active FTP data connections can be nego-
l
tiated over the FTP control connection
the FTP server is able to make connections back to the FTP client
l
These operational characteristics of FTP require special configuration for load balancers (as
l
well as firewalls and NAT devices) that pass traffic between FTP servers and FTP clients:
NAT devices and routers (including load balancers like Equalizer) on the client and server
l
sides must be configured to monitor FTP transactions and provide appropriate address trans-
lation and packet rewriting.
Firewalls on the client and server sides must be configured to let traffic on the ports used
l
for FTP through the firewall.
380
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Advertisement
Table of Contents
Troubleshooting
