FortiDirector Deployment Guide · 2015. 3. 12. · There are two methods for pairing FortiWeb and FortiDirector: DNS and HTTP. The DNS solution provides better performance than the

1 www.fortinet.com

Deployment Guide : < Insert Topic Name >

FortiDirector Deployment GuideExpanding and Enhancing Fortinet Services and CDNs Using FortiDirector

Horizontal scalability is a key factor in the design of Internet services and solutions for enterprise and carrier networks. In what can often be an unstable Internet environment, the ability to easily add new network resources and applications is crucial for many business processes, policies, and procedures, such as those for disaster recovery and business continuity.

Without this flexibility, business demands often force enterprises to upgrade to bigger and more powerful devices. These upgrades can be costly and add significantly to total cost of ownership (TCO) without addressing the issues of failover and service availability.

Fortinet already offers customers the ability to increase overall performance and enhance reliability using FortiGate’s High Availability feature, which keeps network traffic flowing by allowing multiple FortiGate devices to route traffic to all active units. Now FortiDirector’s Global Traffic Management (GTM) features can extend this model beyond the data center, enabling customers to create new types of multi-tenant architectures and engage in big-picture thinking for delivery of network applications and services.

Easily scale your infrastructure with FortiDirectorNo matter how large or small your application environment, you can easily expand your applications without the need to deploy additional hardware.

2 www.fortinet.com

Deployment Guide : FortiDirector with FortiMail, FortiGate VPN, FortiWeb and CDNs

Add Scalability with FortiDirectorFortiDirector is a cloud-based approach to solving the complexities of expanding resources and applications across multiple data centers for disaster recovery, improved performance and reduced delivery costs. Unlike traditional application delivery solutions, FortiDirector provides an always-on, always-available, hosted GSLB solution that doesn’t require a device at every data center location.

Through a fortidirector.com account, rules can be set up based on network elements, geography, time of day or custom HTTP conditions to meet the needs of any business. With advanced health checking mechanisms, FortiDirector can accommodate almost any load balancing requirement or failover scenario to provide 100% uptime for mission-critical applications.

FortiDirector Benefits

FortiDirector’s rule-based redirection and health checking mechanism allows you to:

u Scale client infrastructure horizontally using applications and services located in multiple collocation or other types of data centers, without the limitations of vertical-scale solutions that are restricted to a single location

u Leverage all models and versions of Fortinet appliances and services to add service resiliency and deploy best-practice multi-tenant Business Continuity Planning (BCP) and Disaster Recovery (DR) models

u Extend the capacity of legacy devices using FortiDirector’s “weighted-round-robin” approach to load-balancing, which maximizes the utilization of higher-performing devices

u Ensure best performance for employees and clients by directing them to the source that is closest to them geographically (“geo-closest”)

u Configure both simple and complex backup GTM scenarios, such as mail redirection with a preferred and backup server

u Build or develop new and improved features and functionality

The following scenario descriptions and solutions pair FortiDirector with other Fortinet products and Content Delivery Networks to illustrate how you can scale applications and services across multiple data centers.

u FortiDirector with FortiMail for a Multitenant Mail Server Failover Configuration

u FortiDirector with FortiGate VPN for Reliable and Improved VPN Performance

u FortiDirector with FortiWeb for Secure Web Presence with Backup

u FortiDirector and Content Delivery Networks (CDNs)

FortiDirector DeliversFortiDirector provides load-shar-ing and failover functionality with a reach and level of resiliency that exceeds that of traditional, device-based solutions.

3 www.fortinet.com


Scenario: FortiDirector with FortiMail for a Multitenant Mail Server Failover ConfigurationFortiMail’s High Availability feature allows two appliances–a primary appliance and a secondary backup appliance–to work as a pair: a primary appliance accepts connections and traffic for SMTP, POP, IMAP; the backup does not accept connections or traffic as long as the primary appliance is up and running.

This scenario is effective for handling incoming email from servers outside of the organization. However, it can create problems when employees’ individual mail clients use a single hostname for sending and receiving mail (for example, mail.company.com) and the primary server goes offline or is unreachable. As a result, employees cannot access or send mail and business grinds to a halt.

Existing solutions require you to change or update DNS entries for mail.company.com and are subject to expiration TTLs on DNS records and recursive DNS caches. Alternatively, you can redirect email to insecure cloud services such as Google Applications. Both these methods delay the transfer of mail clients to the backup server and add to the loss of productivity and corporate security.

In addition, it is becoming increasingly popular for enterprises to install their secondary mail servers in a separate location to provide further security against infrastructure failure. In this scenario, the high availability feature may not be a viable option.

ü

û

mail.mycompany.com

Rule Set

FortiDirector detects the failed server and redirects traffic

SolutionConfigure FortiDirector to detect when the primary server is down or unreachable and send mail clients to the secondary server until the primary server is back online.

FortiDirector and FortiMailUse FortiDirector with FortiMail to provide seamless routing of internal and external traffic should a primary FortiMail server go offline.

4 www.fortinet.com


ConfigurationThe customer adds the following two entries to the DNS zone file for mycompany.com:

MX 10 mail.mycompany.com.

mail IN NS r0.r1cd.com.

These entries instruct the recursive DNS servers to ask the FortiDirector DNS servers at r0.r1cd.com to resolve mail.mycompany.com.

In FortiDirector, the customer creates the following items:

u A Network Resource item for each of the two servers. Both Network Resource items are configured to check the health of the server using an appropriate TCP port.

u A DNS Rule Set that uses the primary server as the preferred destination and the secondary server as the failover destination.

To complete the configuration:

u Mail clients are configured to fetch and send mail via mail.mycompany.com.

u Both FortiMail appliances are configured to answer for mail.mycompany.com for services such as webmail, and have the matching SSL certificate.

The system can be tested by causing the primary server to fail the FortiDirector healthcheck. This failure should cause the secondary server to become active and FortiDirector to answer requests to resolve mail.mycompany.com with the IP address of the secondary mail server.

On average, a FortiDirector failover occurs 90 seconds from device failure.

5 www.fortinet.com


Scenario: FortiDirector with FortiGate VPN for Reliable and Improved VPN PerformanceIt is common for companies with a presence in multiple geographic regions to install VPN endpoints in each region to improve performance for telecommuters or to establish secure communications on mobile devices. The ability to securely connect to corporate networks is increasingly important to support employees that work from home, while travelling, from coffee shops or other non-traditional environments.

While it may be acceptable for a small-scale business to configure a VPN client with a single endpoint for connections, for large-scale enterprises it has become increasingly necessary to find better solutions for workers that travel often. This is especially true for organizations that have grown internationally or are looking to do so, where the work of high-level employees is often hampered by inadequate network access.

FortiDirector directs traffic to the geographically closest VPN node

SolutionConfigure FortiDirector to automatically connect mobile clients with the FortiGate VPN server that is geographically nearest to their current location.

Geographic distance correlates very closely to performance. By connecting directly to the closest VPN server, client communications (e-mail, instant message, and so on) can travel between corporate locations over the customer’s own private network. And because FortiDirector’s healthcheck mechanism automatically removes any unresponsive VPN endpoints, the user experience is unchanged the same during maintenance periods. Less traffic travels on the Internet at large, the VPN connection is more reliable, and communication is more responsive.

ConfigurationThe customer adds the following entry to their DNS zone file:

vpn IN NS r0.r1cd.com.

The customer’s VPN clients are configured to connect to vpn.mycompany.com.

FortiDirector and FortiGate VPNExtend VPN access to your employees no matter where they are on the globe with FortiDirector.

6 www.fortinet.com


In FortiDirector, the customer creates the following items:

u A Network Resource item for all of the VPN endpoints, which specifies their IP addresses and locations. Both network resources have healthcheck configuration that connects to the appropriate VPN TCP port.

u A DNS Rule Set for vpn.mycompany.com with a single rule that sends all requests to the Network Resource items using the geo-closest redirect type. FortiDirector automatically removes any VPN servers that fail the healthcheck from the pool and re-routes new requests.

7 www.fortinet.com


Scenario: FortiDirector with FortiWeb for Secure Web Presence with BackupThe FortiWeb Web Application Firewall is very effective at protecting web-based applications and Internet-facing data. FortiDirector can provide customers with greater flexibility as they grow their FortiWeb presence. For example, FortiDirector can add automatic failover between FortiWeb devices when one data center or server fails, or route that directs clients to a data center based on geographic distance.

FortiWeb

FortiWeb

FortiDirector

FortiGate

Web ApplicationServers

FortiDirector directs traffic to multiple FortiWeb devices behind FortiGate firewalls

SolutionA customer has a single FortiWeb device in a datacenter on the West Coast of the United States. Clients on the East Coast and in Asia and Europe are experiencing severe lag. Furthermore, the device is at or over capacity. The customer can upgrade their FortiWeb, but this does not address the issue of latency for international customers. A better solution is to use FortiDirector with multiple deployments of FortiWeb in the appropriate regions.

The customer buys three more identical FortiWeb devices and installs them in data centers in central locations on the East Coast and in Asia and Europe. Because the load is now distributed among four locations, the original FortiWeb device is no longer over capacity and latency is reduced for clients in the regions, providing a better customer experience. If any of the FortiWeb appliances fails the healthcheck, FortiDirector automatically redirects traffic to another route. This automatic redirection increases the customer’s BCP and DR capabilities while decreasing complexity of those processes.

FortiDirector and FortiWebRoute web traffic to the closest datacenter or provide disaster recovery should a datacenter or server fail.

8 www.fortinet.com


ConfigurationThere are two methods for pairing FortiWeb and FortiDirector: DNS and HTTP.

The DNS solution provides better performance than the HTTP one and is recommended for sites with many assets. However, because it provides features for redirecting based on client headers, query strings, and URL paths, the HTTP-based redirection provides the greatest flexibility.

To configure the DNS solution, the customer configures a hostname for a service in their DNS zone file. For example:

www IN NS r0.r1cd.com.

Then, the customer does the following:

u Configures all of the FortiWeb devices to serve www.mycompany.com.

u Enters the FortiWeb IP addresses in FortiDirector as DNS Network Resources.

u Configures healthchecks for each Network Resource item.

u Creates a single DNS Ruleset for www.mycompany.com that configures all four FortiWeb devices as destinations with the geo-closest redirect type.

9 www.fortinet.com


Scenario: FortiDirector and Content Delivery Networks (CDNs)Sometimes a customer must use a content delivery network (CDN) to provide more resource-intensive assets for web sites, such as flash video. In some cases, their entire web site is hosted by a CDN, usually for reasons of performance and reliability. However, CDNs are expensive and using them does not guarantee the best performance or lowest possible cost. There are several ways FortiDirector can minimize the cost of using a CDN or to enhance performance for a customer’s real-world clients, especially in the international setting.

Price or performance can determine where traffic is directed

Solution 1A CDN can be thought of as a very large, vertically-scaled web-server. A CDN cannot redirect a portion of traffic to send it to the customer’s origin web server (where their web site is hosted in their own facilities)—all traffic must be sent to the CDN. FortiDirector can use a weighted-round-robin approach to send a percentage of traffic to the customer’s origin web server to reduce the usage-based costs incurred by using the CDN for all traffic. Alternatively, FortiDirector can direct clients to the CDN only during high-traffic hours. This approach to directing traffic is increasingly common with the availability of cloud infrastructure (for example, Amazon and Rackspace).

Solution 2Most customers with multiple CDNs generally prefer one over the other due to cost. A best practice is to sign contracts with two CDNs and then use the more expensive one as a backup. FortiDirector can automatically switch traffic between them by detecting when the primary CDN has failed.

Solution 3A customer may hire a CDN for performance reasons only. CDNs typically have a global presence, even though the customer’s web servers can handle the client load. In this scenario, FortiDirector can automatically redirect traffic in the event of a failure to the customer’s origin web server when the CDN fails.

Solution 4A customer may hire several CDNs in several different geographic regions with the goal of maximizing performance. In this scenario, FortiDirector can automatically route clients to the geographically closest CDN or the customer

FortiDirector and CDNsSave money and reduce latency by using FortiDirector to control the delivery of content to end users anywhere in th world.

10 www.fortinet.com


can manually configure a specific CDN for a region. A common example of this solution is a CDN that operates only in a single country, such as Germany or China, and is used only for clients in that country.

Limitations When you develop features using FortiDirector functionality, keep the following information in mind:

u FortiDirector checks the health of Fortinet devices using an appropriate port. It does not consider the device’s CPU utilization or other resource utilization when it determines health and availability.

u FortiDirector provides considerable flexibility when you are designing traffic management rules. However, not all configurations will be optimal for your scenario. A Fortinet sales engineer can help you to avoid performance issues and unexpected results when you are configuring your initial GTM setup.

SummaryFortiDirector provides a complete, easy-to-manage and reliable way to extend any web-based application across the globe to any number of data centers without the addition of a single piece of hardware. In this guide we demonstrated ways to use FortiDirector to scale other Fortinet products like FortiMail, FortiGate VPN and FortiWeb. We also reviewed 4 different solutions to scale a CDN to meet the needs of almost any business challenge. These are just the beginning of the many ways FortiDirector can provide scalability and redundancy to your application delivery challenges. For more information on FortiDirector or to request a free demo, please contact your Fortinet sales representative or Fortinet authorized resale partner.

GLOBAL HEADQUARTERSFortinet Inc.1090 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700Fax: +1.408.235.7737www.fortinet.com/sales

EMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis, FranceTel: +33.4.8987.0510Fax: +33.4.8987.0501

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730Fax: +65.6223.6784

LATIN AMERICA SALES OFFICEProl. Paseo de la Reforma 115 Int. 702Col. Lomas de Santa Fe,C.P. 01219 Del. Alvaro ObregónMéxico D.F.Tel: 011-52-(55) 5524-8480

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Documents

FortiDirector Deployment Guide · 2015. 3. 12. · There are two methods for pairing FortiWeb and FortiDirector: DNS and HTTP. The DNS solution provides better performance than the