Load balancing : Load balancing among local servers : Distributing new sessions among your servers : Sessions : Specifying client-side sessions
 
Specifying client-side sessions
You can configure sessions for the virtual server’s connections with each client. In deployments where a reverse proxy such as FortiWeb is between the client and FortiADC, from the perspective of the source address in the IP layer, all sessions might appear to come from a single source: the FortiWeb’s private network address. As a result, the client-side session would never expire, and all session resources would be constrained by that single session. To avoid this, you can configure FortiADC to use X-Forwarded-For: or another similar HTTP header to derive the original client’s source IP address.
In addition, when the Source Address option is enabled, the HTTP virtual server uses the source IP address of the client source to set up the connection to the back-end server.
 
For L2 Load Balance virtual servers, the connection to the back-end server is set up using the client’s IP address by default. Therefore, do not enable the Source Address option for profiles applied to L2 Load Balance virtual servers.
To configure how FortiADC determines the client’s IP address and change the session timeout with the client-side connection, go to Server Load Balance > Profiles.
 
Layer 2 virtual servers support the TCPS, HTTP, and HTTPS profile types only.
The Queue Timeout setting specifies how long connection requests to a back-end server remain in a queue if the server has reached its maximum number of connections. If the timeout period expires before the client can connect, FortiADC drops the connection and sends a 503 error to the client.
Configuring offloading of client-side SSL/TLS sessions
If load balancing HTTPS requests, FortiADC often should decrypt packets, acting as an SSL terminator, or act as an SSL switch and perform content routing. If offloading, this means that FortiADC terminates SSL/TLS on the client-side session, and omits encryption from the server-side session.
Before it can do this, however, you must first upload the private key, certificate, and other files. See “How to offload HTTPS”.
After you have uploaded the files, to select the certificate that FortiADC uses, go to Server Load Balance > Profiles > Profile. Create an HTTPS profile that specifies the certificate, signing chain (if not already included in the certificate), and client certificate verifier (if clients present their own certificate for bilateral authentication).