Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ahsan
New Contributor

High Availability of Exch 2016 - Fortinet 61E

Hi,

 

I have Fortinet 61E deployed and I want to allow my exchange server to be able to send and receive emails and OWA.

 

WAN interface is 200.200.200.1

Exch-1 is 192.168.0.10

Exch-2 is 192.168.0.11

 

Internally I have have DNS round Robin and clients access the servers via URL and randomly assess both servers.

 

For WAN, I have VIP 200.200.200.1 -> 192.168.0.10 (25 -> 25)

I cannot create same VIP for other server as it says same already exists.

 

How can I achieve the following:

VIP 200.200.200.1 -> 192.168.0.10 (25 -> 25)

VIP 200.200.200.1 -> 192.168.0.11 (25 -> 25)

 

I need to open port 25 and 443 on WAN interface and forward traffic to both internal email servers. Exchange server is DAG.

Attached is the scenario.

 

Any help will be much appreciated.

2 Solutions
Markus
Valued Contributor

Hi, You can achive this with loadbalancing. Maybe you have to enable it first -> System -> Feauture Visibility

Then create two virtual server (smtp(s) and https) and then add the real servers. I'm not quite sure, but for the low ends Fortigates, you need firmware 5.6.x to create https virtual servers. Best regards, Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

View solution in original post

________________________________________________________--- NSE 4 ---________________________________________________________
romanr
Valued Contributor

Correct - But there won't be any Virtual Server with HTTPS on a desktop model.

 

So you will have to do Layer 4 Load Balancing - Meaning a TCP Port 443 LoadBalance....

 

Br,

Roman

View solution in original post

11 REPLIES 11
Markus
Valued Contributor

Hi, You can achive this with loadbalancing. Maybe you have to enable it first -> System -> Feauture Visibility

Then create two virtual server (smtp(s) and https) and then add the real servers. I'm not quite sure, but for the low ends Fortigates, you need firmware 5.6.x to create https virtual servers. Best regards, Markus


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
GusTech

5.6.x and virtual servers works well with low end 5-9xE devices. Maybe lower also, have not tested.

Fortigate <3

Fortigate <3
Markus
Valued Contributor

Yes, it works fine with low end Fortis, but if I remember correct, with 5.6.0, I was not able to create an http[style="background-color: #ffff00;"]s[/style] virtual server.


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
GusTech

mgrosni wrote:

Yes, it works fine with low end Fortis, but if I remember correct, with 5.6.0, I was not able to create an http[style="background-color: #ffff00;"]s[/style] virtual server.

5.6.0 had several bugs like all other FortiOS big relases, never run early versions in critical production

Fortigate <3

Fortigate <3
romanr
Valued Contributor

Hey,

 

SSL Offloading for Virtual Servers starts with 100 Series Models.... So only 100Ds or 100Es or bigger can do.

 

As far as I remember this has always been like that...

 

Have a look in the platform feature matrix: https://docs.fortinet.com/d/fortigate-fortios-5.6-feature-platform-matrix

 

 

Br,

Roman

GusTech

Yes, SSL offloading is only bigger models, but the "virtual server" feature works perfect in small models.

Fortigate <3

Fortigate <3
romanr
Valued Contributor

Correct - But there won't be any Virtual Server with HTTPS on a desktop model.

 

So you will have to do Layer 4 Load Balancing - Meaning a TCP Port 443 LoadBalance....

 

Br,

Roman

Markus
Valued Contributor

Fortinet added SSL offloading also to Desktop Models (I think it was 5.6.2 or 3). I've testet it with my 60E (5.6.3 see Image). @BrUz, full ack, never use x.0 releases in critical environments


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
ahsan
New Contributor

I am using 61-E with firmware 5.6.3. Cant see SSL offloading. Please see the screenshot.

Labels
Top Kudoed Authors