Virtual Server & Server Load Balancing
Virtual Server is a method for single gateway machine to act as multiple servers while the real servers sit inside corporate network to process requests passed in from the gateway machine. Inbound traffic does not have to know where the real servers are, or whether there are just one or many servers. This method prevents direct access by users and therefore increases security and flexibility.
FortiWAN has built in virtual server and is capable of supporting various virtual server mapping methods. For example, different public IP addresses can be mapped to various real servers in LAN or DMZ. Or ports can be mapped to public IP address on different servers.
Virtual server are configured by designating and adjusting virtual server rules. Each rule specifies a mapping condition. It maps WAN IP address and a service (port or ports) to an internal server IP. The order of virtual server rules is like any other rule tables in FortiWAN as it also uses the “first match scheme”, viz. the first rule of request matched is the rule to take effect.
For example, a public IP address 211.21.48.196 and wants a web server on 192.168.123.16 to handle all the web page requests coming to this public IP address. To do this, a virtual server rule must be created with 211.21.48.196 to be its WAN IP, 192.168.123.16 to be its Server IP, and HTTP(80) to be its Service.
Virtual Server makes intranet (LAN) servers accessible for the internet (WAN). The private IP addresses assigned to intranet servers will become invisible to the external environment, making services accessible for users outside the network. Then FortiWAN is available to redirect these external requests to the servers in LAN or DMZ. Whenever an external request arrives, FortiWAN will consult the Virtual Server table and redirect the packet to the corresponding server in LAN or DMZ. The rules of Virtual Server tables are prioritized top down. If one rule is similar to another in the table, only the higher ranked one will be applied, and the rest will be ignored. In addition, Virtual Server enables to balance load on multiple servers, which is to distribute traffic over a group of servers (server cluster), making services highly accessible.
Virtual Server & Server Load Balancing
FortiWAN provides mechanisms to record, notify and analysis on events refer to the Virtual Server service, see “Log”, “Statistics: Virtual Server Status” and “Report: Virtual Server”.
IPv4 Virtual Server
E | Check the box to enable the rule | |
When | Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”). | |
WAN IP | For external internet users, the virtual server is presented as a public IP (IPv4) on WAN port. This WAN IP is the “visible” IP for the virtual server in external environment. Select a public IP, and in “Routing Mode”, either enter the IP manually or select the IP obtained from WAN link; In “Bridge Mode One Static IP”, insert WAN IP and the public IP assigned by ISP; Or choose “dynamic IP at WAN#”, if WAN type is none of the above. | |
Service | The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types, or choose port number from TCP/UDP packets. To specify a range of port numbers, type starting port number plus hyphen “-“ and ending port number, e.g. “TCP@123-
234” (See “Using the web UI”). |
|
Algorithm | Algorithms for server load balancing (See Load Balancing Algorithms) | |
l | Round-Robin | |
l | By Connection | |
l | By Response Time | |
l | Hash | |
Keep Session | Check the box to keep session after a connection has been established. If the session is to be stored, then enter a time period. Default value is 30s | |
Server Pool | l | Server IP: The real IP (IPv4) of the server, most likely in LAN or DMZ. |
l | Detect: Choose the protocol for detecting server status: ICMP, TCP@, and No-Detect. Note:
port number must be specified for “TCP@”. |
|
l | Service: The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types (e.g. FTP), or choose port number from TCP/UDP packet. To specify a range of port numbers, enter starting port number plus hyphen “-“ and ending port number, e.g.
“TCP@123-234” (See “Using the web UI”). |
|
l | Weight: Weight determines which server responds to the incoming requests. The higher the weight, the greater the chance is for the corresponding server to be used. | |
L | Check to enable logging: Whenever the rule is matched, system will record the event to log file. |
IPv6 Virtual Server
E | Check the box to enable the rule. | |
When | Options: Busy hour, Idle hour, and All-Time (See “Busyhour Settings”). | |
WAN IP | For external internet users, the virtual server is presented as a public IP (IPv6) on WAN port. This WAN IP is the “visible” IP for the virtual server in external environment. Select a public IP, and in “Routing Mode”, either enter the IP manually or select the IP obtained from WAN link; In “Bridge Mode One Static IP”, insert WAN IP and the public IP assigned by ISP; Or choose “dynamic IP at WAN#”, if WAN type is none of the above. | |
Service | The type of TCP/UDP service to be matched. Select matching criteria from publicly known service types, or choose port number from TCP/UDP packets. To specify a range of port numbers, type starting port number plus hyphen “-“ and ending port number, e.g. “TCP@123-
234” (See “Using the web UI”). |
|
Server IP | The real IP (IPv6) of the server, most likely in LAN or DMZ. | |
L | Check to enable logging: Whenever the rule is matched, system will record the event to log file. | |
Example 1
The settings for virtual servers look like:
- Assign IP address 211.21.48.194 to WAN1. Refer to [System] -> [Network Settings] -> [WAN Settings] for more regarding WAN IP configurations. l Assign IP address 211.21.33.186 to WAN2.
Virtual Server & Server Load Balancing
- Forward all HTTP requests (port 80) through WAN1 or WAN2 to the two HTTP servers 192.168.0.100 and 192.168.0.101 in LAN.
- Forward all FTP requests (port 21) through WAN1 or WAN2 to two FTP servers 192.168.0.200 and 192.168.0.201 in LAN.
- Assign 211.21.48.195 and 211.21.33.189 to WAN 1 and WAN2. Forward all requests to 211.21.48.195 or 211.21.33.189 to two SMTP servers 192.168.0.200 and 192.168.0.201 in LAN. l Forward all requests from 211.21.48.197 to 192.168.0.15 in LAN.
Note:
- FortiWAN can auto-detect both active and passive FTP servers.
- All public IPs must be assigned to WAN 1. To configure these IPs, go to “IP(s) on Localhost of the Basic Subnet” table in [System] -> [Network Settings] -> [WAN Settings] -> [WAN Link 1].
- 21.48.197 does not belong to any physical host, and it must be assigned to WAN port.
Virtual server table for the above settings:
WAN IP | Service | Server Pool
Server IP |
Detect | Service | Weight |
211.21.48.194
211.21.33.186 211.21.48.194 211.21.33.186 211.21.48.195 211.21.33.189 |
HTTP (80)
HTTP (80) FTP (21) FTP (21) SMTP (25) SMTP (25) |
192.168.0.100 | ICMP | HTTP (80) | 1 |
192.168.0.101 | TCP@80 | HTTP (80) | 1 | ||
192.168.0.100 | ICMP | HTTP (80) | 1 | ||
192.168.0.101 | TCP@80 | HTTP (80) | 1 | ||
192.168.0.200 | ICMP | FTP (21) | 1 | ||
192.168.0.201 | TCP@21 | FTP (21) | 1 | ||
192.168.0.200 | ICMP | FTP (21) | 1 | ||
192.168.0.201 | TCP@21 | FTP (21) | 1 | ||
192.168.0.200 | ICMP | SMTP (25) | 1 | ||
192.168.0.201 | TCP@25 | SMTP (25) | 1 | ||
192.168.0.200 | ICMP | SMTP (25) | 1 | ||
192.168.0.201 | TCP@25 | SMTP (25) | 1 | ||
211.21.48.197 | Any | 192.168.0.15 | ICMP | Any | 1 |
Example 2
The settings for virtual servers look like:
- Forward all the TCP port 1999 requests established between external network and public IP 211.21.48.194 to FTP Server@ TCP port 1999 at 192.168.0.100 in LAN.
- Note: Due to the nature of ftp protocol, in port style ftp-data connection, when ftp-control is used in port 1999, port 1998 will be taken by ftp-data.
- Enable external users to access WAN IP 211.21.33.186, and connect PcAnywhere to .LAN hosts. l Note: PcAnywhere uses TCP port 5631 and UDP port 5632. Refer to PcAnywhere software manual for more details.
- Enable external users to access WAN IP 211.21.48.194, and forward packets of TCP/UDP range 2000-3000 to host 192.168.0.15.
Note: Port range redirecting is supported as well.
Virtual server table for the settings above:
WAN IP | Service | Server Pool
Server IP |
Detect | Service | Weight |
211.21.48.194 | TCP@1999 | 192.168.0.100 | ICMP | TCP@1999 | 1 |
192.168.0.101 | TCP@1999 | TCP@1999 | 1 |
WAN Link Health Detection
WAN IP | Service | Server Pool
Server IP |
Detect | Service | Weight |
211.21.33.186 | TCP@5631 | 192.168.0.15 | ICMP | TCP@5631 | |
211.21.33.186 | TCP@5632 | 192.168.0.15 | TCP@5632 | TCP@5632 | |
211.21.48.194 | TCP@20003000 | 192.168.0.15 | ICMP | TCP@20003000 | |
211.21.48.194 | UDP@20003000 | 192.168.0.15 | ICMP | UDP@20003000 |