WAN optimization and web caching
SSL offloading for WAN optimization and web caching
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
627
3
Select OK to save the peer.
4
Go to
WAN Opt. & Cache > Peer > Authentication Group
and select
Create New
to add
an authentication group named SSL_auth_grp to the server side FortiGate unit.
The authentication group includes a pre-shared key and the peer added to the server
side FortiGate unit in step
5
Go to
System > Certificates > Local Certificates
and select
Import
to import the web
server’s CA. Set the name of the local certificate to Web_Server_Cert_1.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
6
Enter the following command to add the SSL server to the server side FortiGate unit.
config wanopt ssl-server
edit example_server
set ip 192.168.10.20
set port 443
set ssl-cert Web_Server_Cert_1
end
Configure other
ssl-server
settings as required for your configuration.
SSL offloading and reverse proxy web caching for an internet web server
This example shows how to configure SSL offloading for a reverse proxy web cache only
WAN optimization configuration. In this configuration, clients on the Internet use HTTPS to
browse to a web server. The FortiGate unit intercepts the HTTPS traffic and a web cache
only WAN optimization rule with SSL offloading enabled decrypts the traffic before
sending it to the web server. The FortiGate unit also caches pages from the web server.
Replies from the web server are encrypted by the FortiGate unit before returning to the
web browsing clients.
The web cache only rule enables transparent mode because the FortiGate unit is
performing NAT between the Internet and the HTTP server and the web server network is
not configured to route Internet traffic between the FortiGate unit and the web server.
In this configuration the FortiGate unit is operating in reverse proxy mode. Reverse proxy
caches can be placed directly in front of a particular server. Web caching on the FortiGate
unit reduces the number of requests that the web server must handle therefore leaving it
free to process new requests that it has not serviced before.
Some benefits of a reverse proxy configuration:
•
Avoid the capital expense of purchasing additional web servers by instead increasing
the capacity of existing servers.
•
Serve more requests for static content from web servers.
•
Serve more requests for dynamic content from web servers.
•
Reducing operating expenses including the cost of bandwidth required to serve
content.
Peer Host ID
User_net
IP Address
172.20.120.1
Name
SSL_auth_grp
Authentication Method
Pre-shared key
Password
<pre-shared_key>
Peer Acceptance
Specify Peer: User_net
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...