Specifying client-side sessions
You can configure sessions for the virtual server’s connections with each client. In deployments where a reverse proxy such as FortiWeb is between the client and FortiADC, from the perspective of the source address in the IP layer, all sessions might appear to come from a single source: the FortiWeb’s private network address. As a result, the client-side session would never expire, and all session resources would be constrained by that single session. To avoid this, you can configure FortiADC to use X-Forwarded-For: or another similar HTTP header to derive the original client’s source IP address.
In addition, when the Source Address option is enabled, the HTTP virtual server uses the source IP address of the client source to set up the connection to the back-end server.
To configure how FortiADC determines the client’s IP address and change the session timeout with the client-side connection, go to
Server Load Balance > Profiles.
The Queue Timeout setting specifies how long connection requests to a back-end server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client.
Configuring offloading of client-side SSL/TLS sessions
If load balancing HTTPS requests, FortiADC often should decrypt packets, acting as an SSL terminator, or act as an SSL switch and perform content routing. If offloading, this means that FortiADC terminates SSL/TLS on the client-side session, and omits encryption from the server-side session.
Before it can do this, however, you must first upload the private key, certificate, and other files. See
“How to offload HTTPS”.
After you have uploaded the files, to select the certificate that FortiADC uses, go to
Server Load Balance > Profiles > Profile. Create an
HTTPS profile that specifies the certificate, signing chain (if not already included in the certificate), and client certificate verifier (if clients present their own certificate for bilateral authentication).