Load balancing : Load balancing among local servers : Distributing new sessions among your servers : Sessions : Specifying client-side sessions
Specifying client-side sessions
Sessions for the virtual server’s connections with each client are configurable. In deployments where a reverse proxy such as FortiWeb is between the client and FortiADC, from the perspective of the source address in the IP layer, all sessions might appear to come from a single source: the FortiWeb’s private network address. As a result, the client-side session would never expire, and all session resources would be constrained by that single session. To avoid this, you can configure FortiADC to use X-Forwarded-For: or another similar HTTP header to derive the original client’s source IP address.
To configure how FortiADC will determine the client’s IP address, and change the session timeout with the client-side connection, go to Server Load Balance > Profiles.
Configuring offloading of client-side SSL/TLS sessions
If load balancing HTTPS requests, FortiADC often should decrypt packets, acting as an SSL terminator, or act as an SSL switch and perform content routing. If offloading, this means that FortiADC terminates SSL/TLS on the client-side session, and omits encryption from the server-side session.
Before it can do this, however, you must first upload the private key, certificate, and other files. See “How to offload HTTPS”.
After you have uploaded the files, to select the certificate that FortiADC will use, go to Server Load Balance > Profiles > Profile. Enable the SSL option, then select the certificate, signing chain (if not already included in the certificate), and client certificate verifier (if the client will be presenting his/her own certificate for bilateral authentication).