FortiADC™ Deployment Guide

Load Balancing Microsoft IIS

FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

November 19, 2015

FortiADC Deployment Guide: Load Balancing Microsoft IIS

Revision 1
TABLE OF CONTENTS

Change Log 4
Introduction 5
Solution benefits 5
The FortiADC difference 6
Deployment topologies 7
Router Mode 7
One-Arm Mode 8
Hardware and software used in this example 9
Microsoft IIS Configuration 9
Step 1: Install Microsoft IIS 9
Step 2: Configure IIS logging 10
FortiADC Configuration 12
Basic Configuration 12
Step 1: Configure network interfaces and a static route 12
Step 2: Configure health checks 14
Step 3: Configure the Real Server Pool 15
Step 4: Configuring the virtual servers 18
Advanced Features Configuration 21
Persistence 21
Scripts 22
Advanced profile options 24
SSL offloading 25
Caching 28
Compression 30
Binding profiles to the virtual server 32
Advanced virtual server configuration summary 33
Verification 35
Troubleshooting 36
Appendix A: FortiADC Configuration 37
Basic server load balancing 37
Advanced features 38
 Change Log

Change Log

Date Change Description

2015-11-19 Initial release.

FortiADC Deployment Guide 4

Fortinet Technologies Inc.
Introduction

Introduction

Internet Information Services (IIS) is a web server produced by Microsoft. IIS has been included with Windows
Server since Windows 2000 Server as a Windows Component and since Windows NT as an option.

IIS 7.0 (most common used) is available with Windows Server 2008 and Windows Vista. Over the years, IIS has
gone through a major overhaul and has been completely redesigned to be the most flexible and secure platform
for web and application hosting. IIS contains several components that perform important functions for the
application and Web server roles. Each component has responsibilities, such as listening for requests made to
the server, managing processes, and reading configuration files.

The FortiADC deployment enables load balancing for server availability, quality of experience (QoE)
improvement for fast response-time, and best ROI with cost reduction (CAPEX and OPEX).

Solution benefits

l Delivers 99.999% application uptime with intelligent server load balancing and global server load balancing
l Optimizes applications and improves user QoE (Quality of Experience)
l Reduces CAPEX and OPEX by doing server offoad with SSL acceleration and TCP multiplexing.
l Secures IIS with web application firewall and distributed denial-of-server (DDoS) prevention.

5 FortiADC Deployment Guide

Fortinet Technologies Inc.
 The FortiADC difference

The FortiADC difference

There are a number of hardware load balancing products available on the market with a wide range of features
and capabilities. FortiADC differentiates itself by providing superior value, high performance, reliability, advanced
acceleration features, and security from a market leader.

FortiADC not only load balances Internet service requests across multiple servers, but also accelerates
application performance and provides application-aware features that monitor server load and improve server
response times – by as much as 25%. In addition to basic load balancing, FortiADC provides:

n Automatic server and application health monitoring.

n Intelligent, application-aware load balancing policies (least connections, fastest response time, static weight, and
round robin).
n Redundant high availability (HA) configurations.
n Intuitive Layer 7 policy-based routing that can dynamically rewrite content to support complex applications and
server configurations.
n Hardware and software-based SSL offloading that reduces the performance impact on your server infrastructure.
n Content caching that dynamically stores popular application content, such as images, videos, HTML files, and other
types to alleviate server resources and accelerate overall application performance.
n Web Application Firewall that protects against application layer attacks.
n IP Reputation service that protects your applications against automated web attacks by identifying access from
botnets and other malicious sources.
n Global Server Load Balancing that distributes traffic across multiple geographical locations for disaster recovery.
n Link Load Balancing that distributes traffic over multiple ISPs to increase resilience and reduce the need for costly
bandwidth upgrades.
n Authentication offloading that speeds user authentication for secure applications.
n Scripting for custom load balancing and content rewriting rules.
n Virtual domains (VDOMs) that enable administrators to divide a FortiADC into two or more virtual FortiADC devices,
each operating as an independent application delivery controller.
For more information on how FortiADC can make your applications work better, faster, and more economically,
please visit http://www.fortinet.com/products/fortiadc/index.html.

FortiADC Deployment Guide 6

Fortinet Technologies Inc.
Deployment topologies Router Mode

Deployment topologies

This section shows the most common deployment topologies for load balancing Microsoft IIS. It includes the
following information:

l Router Mode
l One-Arm Mode
The example configurations in this deployment guide are for a Router Mode deployment.

Router Mode

Figure 1 shows the Router Mode deployment topology. In this mode:

l FortiADC is the default gateway of the servers, so all traffic will be sent through the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10), and FortiADC load
balances the traffic between the Web Servers.
Figure 1: Router Mode topology

7 FortiADC Deployment Guide

Fortinet Technologies Inc.
One-Arm Mode Deployment topologies

The following tables show the source/destination addresses received and sent from the FortiADC.

One-Arm Mode

Figure 2 shows the One-Arm Mode deployment topology. In this mode:

l FortiGate is the default gateway of the servers. Only load balancing traffic is sent to the FortiADC.
l Clients send HTTP requests to the FortiADC virtual server IP address (ex. 10.10.10.10). FortiADC acts as a reverse
proxy: it NATs the source address, opens new HTTP connections, and load balances the traffic between the Web
Servers.
l You can configure a FortiADC profile option to write the original source IP address to the X-Forwarded-For header.
You can configure IIS logs to write the X-Forwarded-For field.
Figure 2: One-Arm Mode topology

FortiADC Deployment Guide 8

Fortinet Technologies Inc.
 Hardware and software used in this example Step 1: Install Microsoft IIS

The following source/destination tables show the NAT translation.

Hardware and software used in this example

The following hardware and software were used in testing this example:

l FortiADC VM
l FortiADC OS Version 4.3.1
l IIS Web Server Version 7.0
l Custom client/server hardware running VMware ESX 4 (Windows Server 2008)
Important: This guide is written only for the FortiADC D-series platform. The instructions included within are not
designed to be used with the FortiADC E-series platform application delivery controllers.

Microsoft IIS Configuration

This section provides configuration pointers for Microsoft IIS. It includes the following topics:

Step 1: Install Microsoft IIS

Step 2: Configure IIS logging

Step 1: Install Microsoft IIS

If it is not already installed, install Microsoft IIS. You can find instructions here:

http://www.iis.net/learn/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-
server-2008-r2
Verify installation was successful by opening http://localhost in the server host computer browser. Figure 3 shows
the message that is displayed when the installation is successful.

9 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Step 2: Configure IIS logging Microsoft IIS Configuration

Figure 3: Microsoft IIS

Step 2: Configure IIS logging

If FortiADC performs source NAT (due to a one-arm deployment or other requirements), you can configure
FortiADC to write the original source IP address to the X-Forwarded-For header. Figure 4 shows the profile
configuration page where you set this behavior.

FortiADC Deployment Guide 10

Fortinet Technologies Inc.
Microsoft IIS Configuration Step 2: Configure IIS logging

Figure 4: HTTP/HTTPS profile option X-Forwarded-For

On IIS, you must install the IIS Advanced Logging 64-bit or IIS Advanced Logging 32-bit add-on for IIS 7. You
can find instructions for installing the add-on and enabling logging of headers such as X-Forwarded-For here:

http://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging

If you use advanced FortiADC load balancing features like SSL offloading and
compression offloading, you would disable those Microsoft IIS settings.

See http://www.IIS.net for information on Microsoft IIS settings.

11 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Basic Configuration FortiADC Configuration

FortiADC Configuration

This section provides configuration guidelines for load balancing Microsoft IIS when FortiADC is deployed in
Router Mode. It includes the following topics:

Basic Configuration
Advanced Features Configuration

Basic Configuration

This section provides the basic procedures for getting started with Layer 4 load balancing. It includes the
following steps:

Step 1: Configure network interfaces and a static route

Step 2: Configure health checks
Step 3: Configure the Real Server Pool
Step 4: Configuring the virtual servers

Step 1: Configure network interfaces and a static route

You configure two network interfaces for deployment:

l port1—External network (WAN)

l port2—Internal network (LAN)
To configure network interfaces, go to Networking > Interface. Figure 5 shows the configuration for port1.

FortiADC Deployment Guide 12

Fortinet Technologies Inc.
FortiADC Configuration Basic Configuration

Figure 5: Network interface configuration page

13 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Basic Configuration FortiADC Configuration

To create a static route, go to Networking > Routing. Figure 6 shows the static route configuration page.

Figure 6: Static route

Step 2: Configure health checks

Health checks test gateway or server availability so the server load balancer can exclude unavailable servers from
the active server pool. In this deployment, we use HTTP health checks to verify Microsoft IIS availability.

To configure a health check, go to System > Shared Resources > Health Check. Table 1 summarizes the health
check configuration for this example. Figure 7 shows the HTTP health check configuration page.

Table 1: Health check configuration summary

Settings Values Notes

Name HC-HTTP-IIS80

Type HTTP

Port 80 Tests an HTTP GET request to the Microsoft IIS

port 80.

Method GET

Send String / URL to get.

Status Code 200 A successful test returns HTTP 200.

FortiADC Deployment Guide 14

Fortinet Technologies Inc.
 FortiADC Configuration Basic Configuration

Figure 7: Health check configuration page

Step 3: Configure the Real Server Pool

The FortiADC server load balancing (SLB) feature is used to load balance traffic on port 80 to a Microsoft IIS pool.
Select the health check configured in the previous step and configure a member pool.

To configure real server pools, go to Server Load Balance > Real Server. Table 2 summarizes the real server pool
configuration for this example. Figure 8 through Figure 10 show the configuration pages.

15 FortiADC Deployment Guide

Fortinet Technologies Inc.
Basic Configuration FortiADC Configuration

Table 2: Real Server pool configuration summary

Settings Values Notes

Name Web-Group

Health Check

Health Check Rela- OR Server is deemed available if any of the specified health
tionship checks is successful. In this case, we have only one
health check, so there is no distinction between the two
possible settings.

Health Check Con- HC-HTTP-IIS80 The health check configured in the previous step.
figuration Objects

Member

IP Address 192.168.100
192.168.101
192.168.102

Port 80

Health Check Inherit Enabled

Figure 8: SLB real server pool initial configuration page

FortiADC Deployment Guide 16

Fortinet Technologies Inc.
FortiADC Configuration Basic Configuration

Figure 9: Real Server Pool Member configuration page

17 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Basic Configuration FortiADC Configuration

Figure 10: Real Server Pool complete configuration

Step 4: Configuring the virtual servers

In the basic deployment, the FortiADC virtual servers are Layer 4 virtual servers. Layer 4 virtual servers are useful
when not using advanced features (such as content routing, SSL, compression, caching, WAF, and so on).

In the virtual server configuration, you select from predefined and user defined configuration objects. You created
the required user-defined configuration objects in the previous steps.

To configure virtual servers, go to Server Load Balance > Virtual Server. Table 3 summarizes the virtual server
configuration for this example. Figure 11 shows the configuration summary page.

FortiADC Deployment Guide 18

Fortinet Technologies Inc.
FortiADC Configuration Basic Configuration

Table 3: Virtual Server configuration summary

Settings Values Notes

Name Web_VIP

Type Layer 4

Packet Forwarding Method DNAT When DNAT is selected FortiADC rewrites

the destination IP address in the client
request. The selected real server
IP address replaces the virtual server IP
address.

In a One-Arm Mode deployment, you would

select Full-NAT so that both source and
destination are translated. You would also
configure and select a source NAT address
pool.

IP address 10.10.10.10

Port 80

Network Interface port2

Profile LB_PROF_TCP Predefined profile.

Persistence None selected Traffic for some applications, like e-commerce

transactions or SIP voice calls, are transactions
that depend on an established client-server ses-
sion. If your application requires this, select a
predefined or user-defined persistence method.

Method LB_METHOD_ROUND_ Predefined method.

ROBIN

Real Server Pool Web_Group The pool configured in the previous step.

Log Enable Enables traffic logs.

19 FortiADC Deployment Guide

Fortinet Technologies Inc.
Basic Configuration FortiADC Configuration

Figure 11: Virtual server configuration page

FortiADC Deployment Guide 20

Fortinet Technologies Inc.
 FortiADC Configuration Advanced Features Configuration

Advanced Features Configuration

Some advanced features are bound directly to the virtual server and some are bound to the profile selected for
the virtual server.

This section describes configuration for the following advanced features:

l Persistence
l Scripts
l Advanced profile options

Persistence
You bind persistence rules to the virtual server configuration. Persistence rules determine traffic that is not load
balanced but rather is dispatched to the same server as an existing connection. Typically, you configure
persistence rules to support server transactions that depend on an established client-server session.

This example uses persistence based on cookies. The backend server sends a cookie. If subsequent packets
received by FortiADC match the cookie, they are forwarded to the original backend server and load balancing
rules are not applicable.

To configure persistence rules, go to Server Load Balancing > Virtual Server > Persistence. Figure 12 shows the
configuration for this example. Figure 13 shows where to select the configuration object in the virtual server
configuration page.

Figure 12: Persistence configuration page

21 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Advanced Features Configuration FortiADC Configuration

Figure 13: Virtual server configuration page - Persistence

Scripts
You bind scripts to the virtual server configuration. Scripts enable you to use predefined Lua script commands and
variables to manipulate the HTTP request/response or select a content route.

For example, you could use a script to redirect HTTP requests to the HTTPS location for the web site:
when HTTP_REQUEST {
Host = HTTP:header_get_value("host")
Path = HTTP:path_get()

FortiADC Deployment Guide 22

Fortinet Technologies Inc.
FortiADC Configuration Advanced Features Configuration

HTTP:redirect("https://%s%s", Host, Path)

}

To configure scripts, go to System > Shared Resources > Scripting. Figure 14 shows the configuration for this
example. Figure 15 shows where to select the script in the virtual server configuration page.

Figure 14: Scripting configuration page

23 FortiADC Deployment Guide

Fortinet Technologies Inc.
 Advanced Features Configuration FortiADC Configuration

Figure 15: Virtual Server configuration page - Scripting

Advanced profile options

You bind profiles to the virtual server configuration. Profiles contain settings that affect protocol traffic for the
client-side connection (between the client and the FortiADC). Advanced profile options support offloading server
functions, such as SSL negotiation, HTTP caching, and Gzip compression.

This section includes example configurations for the following advanced profile options:

FortiADC Deployment Guide 24

Fortinet Technologies Inc.
FortiADC Configuration Advanced Features Configuration

l SSL offloading
l Caching
l Compression

SSL offloading
Clients can use SSL or TLS to connect to HTTPS virtual servers.

When you use FortiADC as a proxy for SSL operations normally performed on the backend real servers, you must
import the X.509 v3 server certificates and private keys the backend servers would ordinarily use, as well as any
certificate authority (CA) or intermediate CA certificates that are used to complete the chain of trust between your
clients and your servers.

The FortiADC system supports all of the TLS/SSL administration methods commonly used by HTTPS servers,
including:

l Server name indication (SNI) - You can require clients to use the TLS extension to include the server hostname in
the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to
present to the client.
l Local certificate store - A certificate store for the X.509 v3 server certificates and private keys the backend servers
would ordinarily use.
l Certificate Authorities (CAs) store - A store for the CA certificates that the backend servers would ordinarily use to
verify the CA signature in the client certificate.
l Intermediate CAs store - A store for Intermediate CAs that the backend servers would ordinarily use to complete the
chain between the client certificate and the server certificate. HTTPS transactions use intermediate CAs when the
server certificate is signed by an intermediate certificate authority (CA) rather than a root CA.
l OCSP - Use Online Certificate Status Protocol (OCSP) to obtain the revocation status of certificates.
l CRL - Use a certificate revocation list (CRL) to obtain the revocation status of certificates.
l Certificate validation policy - You can configure certificate validation policies that use OCSP or CRL. These policies
can be associated with load balancing profiles.

Basic Steps

1. Import the certificates and keys. If necessary, generate a CSR and submit it to a CA. When you receive your
certificate from the CA, you can import it.
Go to System > Certificate > Manage Certificates > Local Certificate. Figure 16 shows the Import Local
Certificate page. Figure 17 shows the Generate CSR page.
2. Create a certificate group.
Go to System > Certificate > Manage Certificates > Local Certificate Group. Figure 18 shows the Certificate
Group configuration page.
3. Create an HTTPS profile and bind the certificate group to it.
Go to Server Load Balance > Profile. Figure 19 shows where to select the configuration object in the profile
configuration page.

25 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration FortiADC Configuration

Figure 16: Import Certificate page

Figure 17: Generate CSR page

FortiADC Deployment Guide 26

Fortinet Technologies Inc.
FortiADC Configuration Advanced Features Configuration

Figure 18: Certificate Group configuration page

27 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration FortiADC Configuration

Figure 19: Profile configuration page - Certificate Group

Caching
FortiADC can store HTTP content. The system can serve subsequent HTTP requests for that content without
forwarding the requests to the backend servers, thereby reducing the load on the backend servers.

In general, the RAM cache conforms to the cache requirements described in RFC 2616.

FortiADC Deployment Guide 28

Fortinet Technologies Inc.
FortiADC Configuration Advanced Features Configuration

If caching is enabled for the profile that is applied to traffic processing, the system evaluates HTTP responses to
determine whether or not to cache the content. HTTP responses with status codes 200, 203, 300, 301, 400 can
be cached.

To configure caching, go to Server Load Balance > Profile > Caching.

Figure 20 shows the configuration for this example. Figure 21 shows where to select the configuration object in
the profile configuration page.

Figure 20: Caching configuration page

29 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration FortiADC Configuration

Figure 21: Profile configuration page - Caching

Compression
Compression offers the greatest performance improvements for Microsoft IIS when applied to URLs whose
media types include repetitive text such as tagged HTML and JavaScript. Files that already contain efficient
compression such as GIF images usually should not be compressed, as the CPU usage and time spent
compressing them will result in an increased delay rather than network throughput improvement.

To configure compression, go to Server Load Balance > Profile > Compression.

Figure 22 shows the configuration for this example. Figure 23 shows where to select the configuration object in
the profile configuration page.

FortiADC Deployment Guide 30

Fortinet Technologies Inc.
FortiADC Configuration Advanced Features Configuration

Figure 22: Compression configuration page

31 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration FortiADC Configuration

Figure 23: Virtual server configuration page - Compression

Binding profiles to the virtual server

Figure 24 shows where the profile is selected in the virtual server configuration.

FortiADC Deployment Guide 32

Fortinet Technologies Inc.
 FortiADC Configuration Advanced Features Configuration

Figure 24: Virtual Server configuration page - Profiles

Advanced virtual server configuration summary

Table 4 summarizes the advanced configuration to support client traffic over HTTPS to Microsoft IIS. SSL
negotiation, caching, and compression processes are offloaded from Microsoft IIS to the FortiADC virtual server.

33 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration FortiADC Configuration

Table 4: Advanced virtual Server configuration summary

Settings Values Notes

Name Web_VIP

Type Layer 7

Packet Forwarding Not applicable for Layer 7 virtual servers.

Method

IP address 10.10.10.10

Port 443 HTTPS port.

Network Interface port2

Profile HTTPS-Profile The profile configured in the previous step. This

profile includes SSL offloading, caching, and
compression settings.

Persistence Cookie_Persistence The persistence method configured in the pre-

vious step.

Method LB_METHOD_ROUND_ Predefined method.

ROBIN

Real Server Pool Web_Group The pool configured in the previous step.

Log Enable Enables traffic logs.

FortiADC Deployment Guide 34

Fortinet Technologies Inc.
Verification Advanced Features Configuration

Verification

You can use the FortiADC monitoring graphs and logs to verify that traffic is indeed cached and packet flow is
working as expected.

To display the dashboard for real server pool statistics, go to Dashboard > Virtual Server > Real Server.

Figure 25: Real Server dashboard

To display logs for Layer 4 virtual servers, go to Log & Report > Traffic Log > SLB Layer 4.

Figure 26: Layer 4 virtual server logs

35 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced Features Configuration Troubleshooting

Troubleshooting

The FortiADC web user interface includes a tcpdump packet capture utility that can be helpful troubleshooting
expected behavior.

To configure packet capture settings and filters, go to Networking > Packet Capture.This page also has controls
to start/stop and download the packet captures.

Figure 27: Packet capture settings for the internal interface

Figure 28: Packet capture settings for the external interface

FortiADC Deployment Guide 36

Fortinet Technologies Inc.
 Appendix A: FortiADC Configuration Basic server load balancing

Appendix A: FortiADC Configuration

The following configuration file samples show the FortiADC configuration:

l Basic server load balancing

l Advanced features

Basic server load balancing

config system global

set hostname FortiADC-VM
end
config system interface
edit "port1"
set vdom root
set ip 10.10.10.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
edit "port2"
set vdom root
set ip 192.168.1.1/24
config ha-node-ip-list
end
config system health-check
edit "HC-HTTP-IIS80"
set type http
set port 80
set method-type http_get
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list HC-HTTP-IIS80
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102
next
end
next
end
config load-balance method

37 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced features Appendix A: FortiADC Configuration

end
config load-balance persistence
end
config load-balance content-rewriting
end
config load-balance content-routing
end
config user local
end
config user user-group
end
config load-balance auth-policy
end
config load-balance virtual-server
edit "Web_VIP"
set interface port2
set ip 10.10.10.10
set load-balance-profile LB_PROF_TCP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set traffic-log enable
set id 1
next
end

Advanced features

config system global

set hostname FortiADC
end
config system interface
edit "port1"
set vdom root
set ip 10.10.10.1/24
set allowaccess https ping ssh http
config ha-node-ip-list
end
next
edit "port2"
set vdom root
set ip 192.168.1.1/24
config ha-node-ip-list
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system certificate local
edit "Cert-CSR"
set password ENC PG/0zS-
coADkZqk8elD637OWnbn-
nMHQKtCd/IfnclgzQneXAry7wMKmIYf4lK5wGs2bimX5lOuJ1lE6F/xNkbAGgeWGdnShCj96pYjuNL3T3HtAGQ
set private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----

FortiADC Deployment Guide 38

Fortinet Technologies Inc.
Appendix A: FortiADC Configuration Advanced features

MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI1MVDWOX4NCsCAggA
MBQGCCqGSIb3DQMHBAjLJVfgVPxzCASCBMi+OEweUbBScuSI3wOeLiJzihJ5gEQ1
NpKPfdlmdizM8zmlB9CDpj6qvh6/1Jr2fR/n3y/7mgxm6HmYwaejTP/zq3ahNxoV
geO83oYo4hmXw0HWd9gESZ2JsDcZYFnKGQOBh/8+hU0Dk54kk15We/pQax0yndog
iF9TI+YU52jWiHuGFSz7SgwxD7hnWIT0/TYJoYmRYCWEw/we2fK2E1cUiBbUhdoG
DR7+Wx5ZMqtEIFlFZfGEbDL0Ajvn9Ch0V9nxELKtrik5f4oV4MMWMIN+DLe/hhLP
wpnVUEvtxxPNmYQtz0pDSINutACqS6HRDvgt751JUueYMobkuP/dE2KZ8dAFNRji
4aFwELJKfWL9lEcUwTwA48VgLMoag2sJw1u2ZdoHQQS+IP+Y+XNNToyzpnS8cXLj
j69UjJWKvufdZ8emFU5dOHtaWUCXFk+mSvXdhVKyNlPu369EFwqn5NzqMPZZZNo8
LVDmU9ROleDQzZUGFTp2X30NrHFVO5D90XR96mndjuJtSzJHmDcSUUiaTTAzLURn
BlaVRfrJJXGDeBmylI86te7ZbvF1StVAqN701NzPDOh+Ixa73xtkFV1BnZ9AzLlC
6OzuKptofOTiLY001IkpDsd0vr3odJ5aRBZ8rxB2XhNq89iuzmV/ylDRA3JBi48m
ihTBfV8XTEb5fDTV0tEf9Ov6yPgXKR2/JSM1F9EqKjGx/1zEIW5jRZh/+RHGYBgr
U7sj1F3CrShCcgiQfxCJ+DlBPFi3Od7Rpx3Sk3NpE6j228C/2EheXka27I/Z1V9O
04nR0VyptLm/lF0XeXUgytLjJCXp+dE184u4OCNn6fycXOJENzWL12KUYeuhrZOA
bTYhV2hSkt00R6V93XhuLf7mgwF+A/DR741LdxixUl+lMtEbvfjJ5ojQZO8YmW/d
ERmF3R6YGar7U2wz+54EJLSWwTMAt+nqgsrlQefSmajAW9rOHrJ2giXzNrsLjkxP
RLl/k6LZzrGFSkkKLu9+msYc2P+KE0eVIqqVFTrduuuArdw/l37VN4cG55ZteLEJ
k04EuKWumPjOdXPRpO3flWfUERVhVuEZrMkpraCjsdf+9EUo9/tGifI1pfgn/ERp
0y+VlYOhjwCJt89F2T5w5gVsjyT2XT4F8IwRKFCz7thAgclj9EMe7a5s7tnBYBJ4
ISFBPVO4alg1bSqzQuISqw0s269gKz3WQebFm6yQaBOluf1TFFvRo8Yhp557OQ//
rzWnEFI/PgG1i6j0Z/aE1JONQLg3BKmEPGw/O5CjmN+o9CO+U0Ss6LcYAyFk4Vcm
sZDD6k4lF6CrSbRFAzNXgh1SuZ3MqlB2V45urBCoUGwXyyj7HLjwZkwDZz6NuQ9G
ffk9eMpILRzrYOhv3Z4Mc0f5hVGfzpcUHfoxm2n0JJ/YTXkGrnlbZWHLvBwbLhmc
CYpPXMzfWMxJHsAGMk95pFRRlU5mX7LZ+D3BW/ydxBv7FUcCy4l0HMliPx9m5CV6
03XILOYXbFabZcHE75CZX0CuzikTrBdfEzvX3r+fL0mnIeA6fSvc++Jb56fZiivs
sVV/GBtYP1BU6xN8JI+K+06kgTMHCbwwnTeRQ/fsAhuiV3AMqekSfr1j9YihZ3qS
1HI=
-----END ENCRYPTED PRIVATE KEY-----
"
set csr "-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgYUxCzAJBgNVBAYTAkhSMQswCQYDVQQIEwJJTDELMAkGA1UE
BxMCSUwxDDAKBgNVBAoTA2FkYzERMA8GA1UECxMIZm9ydGlhZGMxGTAXBgNVBAMT
EHd3dy5mb3J0aWFkYy5jb20xIDAeBgkqhkiG9w0BCQEWEWFtaXRAZm9ydGluZXQu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuJCqyGVvPvxOfeh
UCczs1N5B+21d5vdQg90bjsIoBltOGStoN6nexx1yXHmvyqTmVFxky5bTkA8+7sS
C6hTqvIvUNeAF6BmU3FzqUsEsvGZF4jD2HYQ0xFW7QYU+ZmvvUPEtzWyrxIHkzph
u8O+LP7O4P1raw2MDDfzY5Yx8sHtlb1bTzGc+iJsnAXJvv/RLu/hj4zMuIMXVbZc
wFDj5kJtKLb1SvSPRagawIWHIbrpyyGlLCkalN0Bye3yI/2eMxeZv4EFezdgWiu1
QsqtgM/Fs5noolzqk10ZhbNj4199uwjklxk5GxVr6dWr8M0PD+m8ozSYqEK2dwlO
Vzx6UwIDAQABoBMwEQYDVR0TMQoTCENBOkZBTFNFMA0GCSqGSIb3DQEBBQUAA4IB
AQCfSWwkYbAD973U+65KstDKsISzyvK59yF8Ru1QYyXeHYpZLNxDyUF4WcaQqbSO
Bs9C/3ueWfVzKlfGe/2ytju2G9lEVAUGNwi+CvTSSN+SMP4ddZA7ndBQzTpGrmH7
gaO+Jyv4Jd7nq5Hrkvh5ocuAwD4TqptyGQsRDtuTMIU0Hq6qVp/tcG6OA87/rOg2
BmfA1dMplCiAViNHe+9fj2mAV0QlyzB8hM/Enxlfi680bX1RPW9KA9LmPFOkSpLC
Vm+Cq8YuEJ9Tuu+sFTG20mHwmmwitg9EjuGCOAHAKqcVw+c2cSCwtEf/5WW7E8eP
9X02teScIMBP3KCmSeMo2Frk
-----END CERTIFICATE REQUEST-----
"
next
end
config system certificate ca_group
end
config system certificate intermediate_ca
end
config system certificate intermediate_ca_group

39 FortiADC Deployment Guide

Fortinet Technologies Inc.
Advanced features Appendix A: FortiADC Configuration

end
config system certificate local_cert_group
edit "Cert_Group"
config group_member
edit 1
set local-cert Factory
next
end
next
end
config system scripting
edit "https_redirection"
next
end
config system health-check
edit "HC-HTTP-IIS80"
set type http
set port 80
set method-type http_get
next
end
config load-balance compression
edit "Compression-Policy"
config uri_list
end
config content_types
end
next
end
config load-balance caching
edit "Caching-Policy"
config uri_exclude_list
end
next
end
config load-balance profile
edit "HTTPS-Profile"
set type https
set local-cert-group Cert_Group
set compression Compression-Policy
set caching Caching-Policy
next
end
config load-balance pool
edit "Web_Group"
set health-check-ctrl enable
set health-check-list HC-HTTP-IIS80
config pool_member
edit 1
set ip 192.168.1.100
next
edit 2
set ip 192.168.1.101
next
edit 3
set ip 192.168.1.102

FortiADC Deployment Guide 40

Fortinet Technologies Inc.
Appendix A: FortiADC Configuration Advanced features

next
end
next
end
config load-balance method
end
config load-balance persistence
edit "Cookie_Presistency"
set type persistent-cookie
next
end
config load-balance virtual-server
edit "Web_VIP"
set type l7-load-balance
set interface port1
set ip 10.10.10.10
set load-balance-profile LB_PROF_HTTP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set traffic-log enable
set id 1
set scripting https_redirection
next
edit "HTTPS_VIP"
set type l7-load-balance
set interface port1
set ip 10.10.10.10
set port 443
set load-balance-profile HTTPS-Profile
set load-balance-persistence Cookie_Presistency
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool Web_Group
set traffic-log enable
set id 2
next
end

41 FortiADC Deployment Guide

Fortinet Technologies Inc.
Copyright© 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.