Fortigate 100D, Building a new system with 2 internal servers: 1 website and 1 mail server

Author
armanforti
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/20 04:56:29
  • Status: offline
2016/09/20 07:07:24 (permalink)
0

Fortigate 100D, Building a new system with 2 internal servers: 1 website and 1 mail server

Hi everybody,
I would like your help in configuring Fortigate 100D. 
 
My initial configuration was like this.
I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding.
 
Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally.
Server-2: will be running web server: so port 80 and port 443 also will be used.
But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server.
 
So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this:
 
Wan1 will be used only for incoming mail traffic (ports 24 and 443)
Wan2 will be used only for incoming web traffic (ports 80 and 443)
 
x.x.x.x - public ip
y.y.y.y - private ip
 
Wan1: x.x.x.84
Wan2: x.x.x.83
 
created 2 VIPs for mail and 2 VIPs for web
mail:
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.83 --> y.y.y.12  port: 80 (web server)
x.x.x.83 --> y.y.y.12  port:443 (web server)
 
I put these in 2 different VIPs groups: Mail traffic and web traffic
 
Created 2 policy:
Mail:
incoming interface : wan1
source address: all
outgoing interface: LAN
destination address: Mail traffic (VIP)
Schedule: always
services: Https, Smtp
Action: accept
NAT NOT ENABLED
 
Web:
incoming interface : wan2
source address: all
outgoing interface: LAN
destination address: web traffic (VIP)
Schedule: always
services: Https, http
Action: accept
NAT NOT ENABLED
 
There is another policy for internal users to surf the internet:
 
internet:
incoming interface : LAN
source address: all
outgoing interface: wan1
destination address: all
Schedule: always
services: all
Action: accept
NAT ENABLED: Use Outgoing Interface Address
 
And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x
 
My questions are:
 
1. Does this configuration work when someone surf to the company's website or sends mail to us? I mean using our website ti they get x.x.x.83 --> y.y.y.12 and the same goes for the mail x.x.x.84 --> y.y.y.11? Do i need to do something else?
 
2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address). 
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240 
 
Then what should I do? use policy routes or ip pool? How should I configure it?
 
3. For me doesn't matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used?
 
I appreciate any help. Please advice. :) 
 
Thank you.
#1
Jump to:
© 2020 APG vNext Commercial Version 5.5