Virtual Server & Server Load Balancing

Virtual Server & Server Load Balancing

Virtual Server is a method for single gateway machine to act as multiple servers while the real servers sit inside corporate network to process requests passed in from the gateway machine. Inbound traffic does not have to know where the real servers are, or whether there are just one or many servers. This method prevents direct access by users and therefore increases security and flexibility.

FortiWAN has built in virtual server and is capable of supporting various virtual server mapping methods. For example, different public IP addresses can be mapped to various real servers in LAN or DMZ. Or ports can be mapped to public IP address on different servers.

Virtual server are configured by designating and adjusting virtual server rules. Each rule specifies a mapping condition. It maps WAN IP address and a service (port or ports) to an internal server IP. The order of virtual server rules is like any other rule tables in FortiWAN as it also uses the “first match scheme”, viz. the first rule of request matched is the rule to take effect.

For example, a public IP address 211.21.48.196 and wants a web server on 192.168.123.16 to handle all the web page requests coming to this public IP address. To do this, a virtual server rule must be created with 211.21.48.196 to be its WAN IP, 192.168.123.16 to be its Server IP, and HTTP(80) to be its Service.

Virtual Server makes intranet (LAN) servers accessible for the internet (WAN). The private IP addresses assigned to intranet servers will become invisible to the external environment, making services accessible for users outside the network. Then FortiWAN is available to redirect these external requests to the servers in LAN or DMZ. Whenever an external request arrives, FortiWAN will consult the Virtual Server table and redirect the packet to the corresponding server in LAN or DMZ. The rules of Virtual Server tables are prioritized top down. If one rule is similar to another in the table, only the higher ranked one will be applied, and the rest will be ignored. In addition, Virtual Server enables to balance load on multiple servers, which is to distribute traffic over a group of servers (server cluster), making services highly accessible.

 

Virtual Server & Server Load Balancing

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Virtual Server service, see “Log”, “Statistics: Virtual Server Status” and “Report: Virtual Server”.

IPv4 Virtual Server

E   Check the box to enable the rule
When   Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”).
WAN IP   For external internet users, the virtual server is presented as a public IP (IPv4) on WAN port. This WAN IP is the “visible” IP for the virtual server in external environment. Select a public IP, and in “Routing Mode”, either enter the IP manually or select the IP obtained from WAN link; In “Bridge Mode One Static IP”, insert WAN IP and the public IP assigned by ISP; Or choose “dynamic IP at WAN#”, if WAN type is none of the above.
Service   The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types, or choose port number from TCP/UDP packets. To specify a range of port numbers, type starting port number plus hyphen “-“ and ending port number, e.g. “TCP@123-

234” (See “Using the web UI”).

Algorithm   Algorithms for server load balancing (See Load Balancing Algorithms)
  l Round-Robin
  l By Connection
  l By Response Time
  l Hash
Keep Session   Check the box to keep session after a connection has been established. If the session is to be stored, then enter a time period. Default value is 30s
Server Pool l Server IP: The real IP (IPv4) of the server, most likely in LAN or DMZ.
  l Detect: Choose the protocol for detecting server status: ICMP, TCP@, and No-Detect. Note:

port number must be specified for “TCP@”.

  l Service: The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types (e.g. FTP), or choose port number from TCP/UDP packet. To specify a range of port numbers, enter starting port number plus hyphen “-“ and ending port number, e.g.

“TCP@123-234” (See “Using the web UI”).

  l Weight: Weight determines which server responds to the incoming requests. The higher the weight, the greater the chance is for the corresponding server to be used.
L   Check to enable logging: Whenever the rule is matched, system will record the event to log file.

IPv6 Virtual Server

E Check the box to enable the rule.
When Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”).
WAN IP For external internet users, the virtual server is presented as a public IP (IPv6) on WAN port. This WAN IP is the “visible” IP for the virtual server in external environment. Select a public IP, and in “Routing Mode”, either enter the IP manually or select the IP obtained from WAN link; In “Bridge Mode One Static IP”, insert WAN IP and the public IP assigned by ISP; Or choose “dynamic IP at WAN#”, if WAN type is none of the above.
Service The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types, or choose port number from TCP/UDP packets. To specify a range of port numbers, type starting port number plus hyphen “-“ and ending port number, e.g. “TCP@123-

234” (See “Using the web UI”).

Server IP The real IP (IPv6) of the server, most likely in LAN or DMZ.
L Check to enable logging: Whenever the rule is matched, system will record the event to log file.

Example 1

The settings for virtual servers look like:

  • Assign IP address 211.21.48.194 to WAN1. Refer to [System] -> [Network Settings] -> [WAN Settings] for more regarding WAN IP configurations. l Assign IP address 211.21.33.186 to WAN2.

Virtual Server & Server Load Balancing

  • Forward all HTTP requests (port 80) through WAN1 or WAN2 to the two HTTP servers 192.168.0.100 and 192.168.0.101 in LAN.
  • Forward all FTP requests (port 21) through WAN1 or WAN2 to two FTP servers 192.168.0.200 and 192.168.0.201 in LAN.
  • Assign 211.21.48.195 and 211.21.33.189 to WAN 1 and WAN2. Forward all requests to 211.21.48.195 or 211.21.33.189 to two SMTP servers 192.168.0.200 and 192.168.0.201 in LAN. l Forward all requests from 211.21.48.197 to 192.168.0.15 in LAN.

Note:

  1. FortiWAN can auto-detect both active and passive FTP servers.
  2. All public IPs must be assigned to WAN 1. To configure these IPs, go to “IP(s) on Localhost of the Basic Subnet” table in [System] -> [Network Settings] -> [WAN Settings] -> [WAN Link 1].
  3. 21.48.197 does not belong to any physical host, and it must be assigned to WAN port.

Virtual server table for the above settings:

WAN IP Service Server Pool

Server IP

Detect Service Weight
211.21.48.194

211.21.33.186

211.21.48.194

211.21.33.186

211.21.48.195

211.21.33.189

HTTP (80)

HTTP (80)

FTP (21)

FTP (21)

SMTP (25)

SMTP (25)

192.168.0.100 ICMP HTTP (80) 1
192.168.0.101 TCP@80 HTTP (80) 1
192.168.0.100 ICMP HTTP (80) 1
192.168.0.101 TCP@80 HTTP (80) 1
192.168.0.200 ICMP FTP (21) 1
192.168.0.201 TCP@21 FTP (21) 1
192.168.0.200 ICMP FTP (21) 1
192.168.0.201 TCP@21 FTP (21) 1
192.168.0.200 ICMP SMTP (25) 1
192.168.0.201 TCP@25 SMTP (25) 1
192.168.0.200 ICMP SMTP (25) 1
192.168.0.201 TCP@25 SMTP (25) 1
211.21.48.197 Any 192.168.0.15 ICMP Any 1

Example 2

The settings for virtual servers look like:

  • Forward all the TCP port 1999 requests established between external network and public IP 211.21.48.194 to FTP Server@ TCP port 1999 at 192.168.0.100 in LAN.
  • Note: Due to the nature of ftp protocol, in port style ftp-data connection, when ftp-control is used in port 1999, port 1998 will be taken by ftp-data.
  • Enable external users to access WAN IP 211.21.33.186, and connect PcAnywhere to .LAN hosts. l Note: PcAnywhere uses TCP port 5631 and UDP port 5632. Refer to PcAnywhere software manual for more details.
  • Enable external users to access WAN IP 211.21.48.194, and forward packets of TCP/UDP range 2000-3000 to host 192.168.0.15.

Note: Port range redirecting is supported as well.

Virtual server table for the settings above:

WAN IP Service Server Pool

Server IP

Detect Service Weight
211.21.48.194 TCP@1999 192.168.0.100 ICMP TCP@1999 1
192.168.0.101 TCP@1999 TCP@1999 1

WAN Link Health Detection

WAN IP Service Server Pool

Server IP

Detect Service Weight
211.21.33.186 TCP@5631 192.168.0.15 ICMP TCP@5631  
211.21.33.186 TCP@5632 192.168.0.15 TCP@5632 TCP@5632  
211.21.48.194 TCP@20003000 192.168.0.15 ICMP TCP@20003000  
211.21.48.194 UDP@20003000 192.168.0.15 ICMP UDP@20003000

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.