A real server SSL profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.
Figure 22 illustrates the basic idea of client-side and server-side profiles.
Table 3 provides a summary of the predefined profiles. You can select predefined profiles in the real server pool configuration, or you can create user-defined profiles.
Profile | Defaults |
---|---|
LB_RS_SSL_PROF_DEFAULT |
|
LB_RS_SSL_PROF_ECDSA |
|
LB_RS_SSL_PROF_ECDSA_SSLV3 |
|
LB_RS_SSL_PROF_ECDSA_TLS12 |
|
LB_RS_SSL_PROF_ENULL |
Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed. |
LB_RS_SSL_PROF_HIGH |
|
LB_RS_SSL_PROF_LOW_SSLV2 |
|
LB_RS_SSL_PROF_LOW_SSLV3 |
|
LB_RS_SSL_PROF_MEDIUM |
|
NONE |
|
Before you begin:
You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
|
|
|
Settings | Guidelines |
---|---|
Name | Configuration name. Valid characters are A -Z , a -z , 0 -9 , _ , and - . No spaces. You reference this name in the real server pool configuration.Note: After you initially save the configuration, you cannot edit the name. |
SSL |
Enable/disable SSL for the connection between the FortiADC and the real server. |
Note: The following fields become available only when SSL is enabled. See above. | |
Customized SSL Ciphers Flag |
Enable/disable use of user-specified cipher suites. When enabled, you must select a Customized SSL Cipher. See below. |
Customized SSL Ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. The names you enter are validated against the form of the cipher suite short names published on the OpenSSL website: |
SSL Cipher Suite List |
Ciphers are listed from strongest to weakest:
We recommend retaining the default list. If necessary, you can deselect ciphers you do not want to support. |
Allow SSL Versions | Select SSL versions that are allowed for the connection. |
Certificate Verify | Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and may include OCSP and CRL checks. |
SNI Forward Flag | Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded. |
Session Reuse Flag | Enable/disable SSL session reuse. |
Session Reuse Limit | The default is 0 (disabled). The valid range is 0-1048576. |
TLS Ticket Flag | Enable/disable TLS ticket-based session reuse. |