Server Load Balancing for HTTPs with no certs installed on Fortigate [Solved]
Hello forum members,
Load balancing to https servers is bit new for me. I have done in the past regular http load balancing.
I was under the impression that with certificates on the servers and incoming https requests being sent to one or the other real server should have nothing to do with FortiGate needing certs on it as we are not really terminating https on firewall, but simply relaying the requests over to two inside servers. But when I tried to configure virtual server, it requires SSL offloading and that of course will require certificate on FortiGate.
So why is it mandatory for FortiGate to do SSL offloading for load balancing?
The two inside servers are windows IIS with few websites that are duplicated on them. I assume, worst case, I need to have customer export already installed certs on these two boxes as PFX bundle and then split those into their constituent private key and public (cert) and then import into FortiGate and then use those certs (or rather I should only need one cert) for this seemingly mandatory SSL offloading. There are two options of SSL offload. One is client to FortiGate and other is full. Since client to FortiGate option will probably require firewall to talk to servers on port 80 (which will not work as web servers have http to https redirect set up in IIS), how does full offloading then work? Will it use 443 on backend as well?
Thank you all in advance for some advice on this.
post edited by DevinderSharma - 2021/03/16 13:46:51