Use FortiWeb to Publish Applications



Similar documents
Fortinet FortiGate App for Splunk

FortiVoice Enterprise

Load Balancing Microsoft Exchange 2013 with FortiADC

Load Balancing Microsoft Exchange 2013 with FortiADC

How To Get A Fortinet Security System For Free

FortiCore A-Series. SDN Security Appliances. Highlights. Securing Software Defined Networking (SDN) Architectures. Key Features & Benefits

5 ½ Things That Make a Firewall Next Gen WHITE PAPER

The Fortinet Advanced Threat Protection Framework

Load Balancing Microsoft Exchange 2013 with FortiADC

INDEPENDENT VALIDATION OF FORTINET SOLUTIONS. NSS Labs Real-World Group Tests

SDN Security for VMware Data Center Environments

Purchase and Import a Signed SSL Certificate

MSSP Advanced Threat Protection Service

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Network Firewall (INFW)

FortiAuthenticator TM User Identity Management and Single Sign-On

The Enterprise Cloud Rush

Load Balancing Microsoft Exchange 2010 with FortiADC

FortiVoice Enterprise

FortiSwitch. Data Center Switches. Highlights. High-performance and resilient managed data center switch. Key Features & Benefits.

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Improving Profitability for MSSPs Targeting SMBs

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Mobile Configuration Profiles for ios Devices Technical Note

Place graphic in this box

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

icrosoft TMG Replacement with NetScaler

Single Sign On for ShareFile with NetScaler. Deployment Guide

Keeping the Store Open: Fighting the Cyber Criminal in the Retail World

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

FortiGate 100D Series

FortiGate/FortiWiFi 60D Series

FortiGate 200D Series

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Disaster Recovery with Global Server. Load Balancing

FortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE

FortiGate/FortiWiFi 90D Series

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

FortiSwitch B and C-Series

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

WHITE PAPER. Protecting Your Network From the Inside-Out. Internal Segmentation Firewall (ISFW)

How To Use Netscaler As An Afs Proxy

FortiGate/FortiWiFi -60C Series Integrated Threat Management for Small Networks

Installation and configuration guide

Creating a User Profile for Outlook 2013

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Fortinet Presence Analytics Solution

Load Balancing Microsoft Exchange 2010 with FortiADC

FortiVoice Enterprise Phone System GA Release Notes

F-Secure Messaging Security Gateway. Deployment Guide

Securing the Data Center

Deploying F5 to Replace Microsoft TMG or ISA Server

Fortinet Partner Program

What s New for FortiMail 5.2.0

How to Secure a Groove Manager Web Site

Installation and configuration guide

HP Device Manager 4.6

User Identification and Authentication

Introduction to the EIS Guide

SOLUTION GUIDE. Hybrid WAN Solutions with FortiWAN. The cost-effective way to deliver the WAN bandwidth and redundancy your organization demands

WHITE PAPER Citrix Secure Gateway Startup Guide

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Microsoft Lync Server 2010

Portal Administration. Administrator Guide

Preparing for GO!Enterprise MDM On-Demand Service

FortiAuthenticator - What's New Guide VERSION 4.0

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

NEFSIS DEDICATED SERVER

Single Sign-on (SSO) technologies for the Domino Web Server

Configuring FortiVoice for Skype VoIP service

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

FortiSandbox. Multi-layer proactive threat mitigation

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Contents Notice to Users

Owner of the content within this article is Written by Marc Grote

CA Nimsoft Service Desk

Administrator Guide. v 11

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

FortiGuard Security Services

HGC SUPERHUB HOSTED EXCHANGE

How to configure the Panda GateDefender Performa explicit proxy in a Local User Database or in a LDAP server

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Hosted Microsoft Exchange Client Setup & Guide Book

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

FortiGate-AWS Deployment Guide

App Orchestration 2.0

Client configuration and migration Guide Setting up Thunderbird 3.1

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Transforming Your WiFi Network Into A Secure Wireless LAN A FORTINET WHITE PAPER. Fortinet White Paper

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Transcription:

Tech Brief Use FortiWeb to Publish Applications Replacing Microsoft TMG with a FortiWeb Web Application Firewall Version 0.2, 27 June 2014 FortiWeb Release 5.2.0 Introduction This document is intended for persons who have some FortiWeb experience or have fundamental knowledge of Web Application Firewalling and the HTTP Protocol. It will give step-by-step instructions to configure FortiWeb to use an independent pre-authentication for web applications. This kind of setup is widely implemented using Microsoft s Threat Management Gateway (TMG), which has been discontinued by the Microsoft. FortiWeb as a Web Application Firewall (WAF) introduces another significant advantage to preauthentication, with it s built in security features it can secure the application after a successful login and also provide SSO (Single Sign On) capabilities. www.fortinet.com 1

FortiWeb Basics In a FortiWeb configuration, every protected (published) Application is configured in a Server Policy. This policy refers to several other configuration objects, like Virtual Server: The IP Address FortiWeb listens to for this service Physical Server: The IP Address(es) of the backend servers Certificate: Certificate to use for SSL Encryption Web Protection Profile: Contains all security related configuration and refers to multiple other configuration objects. The letters refer to the corresponding paragraph in the following section. Configuration We assume that all IP addresses, routing and DNS information has been configured. Furthermore it is required that FortiWeb runs in Reverse Proxy mode. The configuration will be done bottom-up, in other words we will start with the configuration objects that are the leaves of the configuration tree and work up until we reach the Server Policy which links all the configuration objects together. a. LDAP The LDAP configuration can be found under User / Remote Server / LDAP Server in the navigation menu on the left side. Create a new server profile by clicking the plus sign ( ). www.fortinet.com 2

Fill in the required information: In this scenario we need the user to enter the full mail address, therefor we refer to the Active Directory field userprincipalname. Depending on the application you are going to publish, you might need other login information from the user. TIP on how to find the Distinguished Name field. On the domain controller start the tool: adsiedit.msc, select from the top menu: Action >> Connect to. Click OK. Browse to the CN=Users folder. Select a user, f.e. CN=Administrator and select properties. Scroll down to Distinguished Name field. Use these values in FortiWeb. b. Site Publishing Rule The Site Publishing Rule can be created under Application Delivery / Site Publish / Rule. After creating a new rule, enter the required information: Name is a unique identifier for the rules. Published Site and Path distinguish if FortiWeb will capture the traffic and force the pre-authentication. In case of OWA the path starts with /owa. The URL the user is trying to access is therefor: HTTPS://mail.fortiweb.lab/owa, which are the first two parameters. FortiWeb uses the logoff path to logoff a user. This is an optional field. For Outlook Web Access it is: /owa/logoff.owa www.fortinet.com 3

The authentication input from the user can be requested via HTTP Basic Authentication or this predefined form: Next, select the LDAP profile you have already created. Authentication Delegation determines if FortiWeb will send the credentials entered by the user to the backend server. At this time there are two possibilities: No Delegation (show login from backend server). HTTP Basic (HTTP Basic Authentication to the Backend Server). FortiWeb will store the credentials for the length of the session and can therefor forward the credentials to other application servers without requiring the user to re-enter the password if SSO Support is enabled and SSO Domain defined. Alert Type filters which logon events will be written to the event log: None / Failed only / Successful only / all c. Site Publish Policy The Site Publish Policy will be referred by the Web Protection Profile and allows to use multiple Site Publish Rules in one Web Protection Profile. It can be accessed via Application Delivery / Site Publish / Site Publish Policy. After creating a new entry, enter the name of the policy and click OK. After that, multiple Site Publish Rules can be added. d. X-Forwarded-For FortiWeb is running as a reverse proxy. This implies that all connections from the FortiWeb to the backend server will have the IP address of one of FortiWeb s interfaces as source address. To have the end user IP address in the log of the backend server, the IP address of the client can be forwarded as X-Forwarded-For header data in the request. www.fortinet.com 4

Select Server Objects / X-Forwarded-For / X-Forwarded-For and create a new entry. Enter a name and select Add X-Forwarded-For. FortiWeb allows multiple other and flexible ways to incorporate this information in the HTTP header. e. Inline Protection Profile Create a new Inline Protection Profile in the menu structure Policy / Web Protection Profile / Inline Protection Profile. Select a name, enable Session Management and select the X-Forwarded-For profile. Scroll down to Site Publish and select the relevant profile. f. Virtual Server Create a new entry under Server Objects / Server / Virtual Server. Fill in the IP address that FortiWeb should listen for connections from the internet: www.fortinet.com 5

g. Physical Server Create a new entry under Server Objects / Server / Physical Server. Enter the IP address of the server that runs the published application: h. Certificates Certificates can be uploaded or CSR s generated under System / Certificates / Local. If you have an official, signed certificate you will need to upload the certificate of the signing authority (CA) and depending on your authority the Intermediate CA s as well. The FortiWeb documentation is available at http://docs.fortinet.com/fweb.html. The chapter about certificate handling starts with page 279. i. Server Policy The last step is now putting all the pieces together in the server policy. Open Policy / Server Policy / Server Policy and create a new entry. Select all the previously configured options Virtual Server Physical Server Certificate www.fortinet.com 6

Web Protection Profile and click OK. FortiWeb is now listening on the specified address and will intercept connections going to the defined URL (in this example https://mail.fortiweb.lab/owa ) and force a successful authentication before the client can send any further request to the application server. Additional security can be configured, but this is out of scope for this document. www.fortinet.com 7

Changes to be made on Outlook Web Access side: Log in to https://url.to.owa.server/ecp Go to servers >> virtual directories Select owa and click the little pencil icon Select authentication and change value as shown below Select save Outlook Web Access administration now prompts to make the same change to the /ecp virtual folder Select ecp and make the same change GLOBAL HEADQUARTERS Fortinet Inc. 899 Kifer Road Sunnyvale, CA 94086 United States Tel: +1.408.235.7700 Fax: +1.408.235.7737 www.fortinet.com/sales EMEA SALES OFFICE 120 rue Albert Caquot 06560, Sophia Antipolis, France Tel: +33.4.8987.0510 Fax: +33.4.8987.0501 APAC SALES OFFICE 300 Beach Road 20-01 The Concourse Singapore 199555 Tel: +65.6513.3730 Fax: +65.6223.6784 LATIN AMERICA SALES OFFICE Prol. Paseo de la Reforma 115 Int. 702 Col. Lomas de Santa Fe, C.P. 01219 Del. Alvaro Obregón México D.F. Tel: 011-52-(55) 5524-8480 Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein www.fortinet.com represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet s 8 lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information