The cluster dsr and spoof flags must be enabled for direct server return connections. In addition, the cluster idle timeout parameter should be set as described in the table below:
|
dsr |
Enables Direct Server Return. All requests to this cluster IP will be forwarded to the server with the client IP as the source IP, and the cluster IP as the destination IP. The loopback interface of the server must be configured with the cluster IP to receive the requests. |
|
spoof |
- spoof causes FortiADC to spoof the client IP address when FortiADC routes a request to a server in a virtual cluster; that is, the IP address of the client is sent to the server, not the IP address of the FortiADC. This flag must be enabled for DSR. |
|
idle timeout |
The time in seconds before reclaiming idle Layer 4 connection records. Applies to Layer 4 TCP clusters only. For DSR, idle timeout must be set to a non-zero value, or FortiADC will never reclaim connection records for connections terminated by the server. The cluster's idle timeout should be set to the longest period within your application that you would like FortiADC to wait for consecutive messages from the client (since the FortiADC does not see server packets on DSR connections). For example, if the longest expected server response time and the longest expected delay between client responses on active connections are both 60 seconds, then set the idle timeout to 120 seconds. |
The general procedure for configuring DSR on a new or existing cluster is as follows: