config : waf site-publish-helper rule
 
waf site-publish-helper rule
Use this command to configure access control, authentication, and, optionally, SSO for your web applications.
If:
your users access multiple web applications on your domain, and
you have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server
you may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the GUI) instead of configuring simple HTTP authentication rules. SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.
FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate..
For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your users will only need to authenticate once while using those resources.
Before you configure site publishing, you must first define the queries to your authentication server. For details, see “config user ldap-user” or “config user radius-user”.
FortiWeb supports the following additional site publishing options:
RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication)
RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no password)
Regular Kerberos authentication delegation and Kerberos constrained delegation
For more information on these options, see the descriptions of the individual site publishing rule settings and the FortiWeb Administration Guide.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf site-publish-helper rule
edit <site-publish-rule_name>
set status {enable | disable}
set req-type {plain | regular}
set published-site <host_fqdn>
set path <url_str>
set client-auth-method {html-form-auth | http-auth | client-cert-auth}
[set Published-Server-Logoff-Path <url_str>]
set cookie-timeout <timeout_int>
set auth-method {ldap | radius}
set ldap-server <query_name>
set radius-server <query_name>
set rsa-securid {enable | disable}
set auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation}
set field-name {subject | SAN}
set attribution-name {email | UPN}
set delegated-spn <delegated-spn_str>
set keytab-file <keytab_file>
set delegator-spn <delegator-spn_str>
set prefix-support {enable | disable}
set prefix-domain <prefix-domain_str>
set alert-type {all | fail | none | success}
set sso-support {enable | disable}
set sso-domain <domain_str>
next
end
Variable
Description
Default
<site-publish-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
status {enable | disable}
Enable to activate this rule.
This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy.
enable
req-type {plain | regular}
Select whether published-site <host_fqdn> contains a literal FQDN (plain), or a regular expression designed to match multiple host names or fully qualified domain names (regular).
plain
published-site <host_fqdn>
Depending on your selection in req-type {plain | regular}, type either:
the literal Host: name, such as sharepoint.example.com, that the HTTP request must contain in order to match the rule.
a regular expression, such as ^*\.example\.edu, matching all and only the host names to which the rule should apply.
The maximum length is 255 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide.
No default.
path <url_str>
Type the URL of the request for the web application, such as /owa. It must begin with a forward slash ( / ).
No default.
client-auth-method {html-form-auth | http-auth | client-cert-auth}
Specify one of the following options:
html-form-auth — FortiWeb authenticates clients by presenting an HTML web page with an authentication form.
http-auth — FortiWeb authenticates clients by providing an HTTP AUTH code so that the browser displays its own dialog.return an HTTP AUTH code so that the browser displays its own dialog.
client-cert-auth — FortiWeb validates the HTTP client’s personal certificate using the certificate verifier specified in the associated server policy or server pool configuration.
Used when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos or no-delegation.
Note: This option requires you to select a value for ssl-client-verify <verifier_name> in the server policy or certificate-verify <verifier_name> in the server pool configuration.
html-form-auth
Published-Server-Logoff-Path <url_str>
Optionally, type the URL of the request that a client sends to log out of the application, such as: /owa/auth/logoff.aspx?Cmd=logoff
When logging out of the web application, the client will be redirected to FortiWeb’s authentication dialog.
This setting appears only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth.
No default.
cookie-timeout <timeout_int>
Specify the length of time that passes before the cookie that the site publish rule adds expires and the client must re-authenticate.
Valid values are from 0 to 3600 hours.
To configure the cookie with no expiration, specify 0 (the default). The browser only deletes the cookie when the user closes all browser windows.
0
auth-method {ldap | radius}
Depending on which query you want to use to authenticate clients, select either LDAP or RADIUS.
ldap
ldap-server <query_name>
Type the name of the authentication query that FortiWeb will use to pass credentials to your authentication server.
No default.
radius-server <query_name>
Type the name of the authentication query that FortiWeb will use to pass credentials to your authentication server.
No default.
rsa-securid {enable | disable}
Specify whether FortiWeb authenticates clients using a username and a RSA SecurID authentication code only. Users are not required to enter a password.
When this option is enabled, the authentication delegation options in the site publish rule are not available.
Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth and auth-method {ldap | radius} is radius.
disable
auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation}
Specify one of the following options:
http-basic — Use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application. Typically, you should select this option if the web application supports HTTP protocol-based authentication.
Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth or http-auth.
kerberos — After it authenticates the client via the HTTP form or HTTP basic method, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.
Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth or http-auth.
kerberos-constrained-delegation — After it authenticates the client’s certificate, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding.
Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is client-cert-auth.
no-delegation — FortiWeb does not send the client’s credentials to the web application.
Select this option when the web application has no authentication of its own or uses HTML form-based authentication.
Note: If the web application uses HTML form-based authentication, the client is required to authenticate twice: once with FortiWeb and once with the web application’s form.
Not available when rsa-securid {enable | disable} is enable.
no-delegation
field-name {subject | SAN}
Use one of the following options to specify the certificate information that FortiWeb uses to determines the client username:
subject — The email address value in the certificate’s Subject information.
For attribution-name {email | UPN}, select email.
SAN — The certificate’s subjectAltName (Subject Alternative Name or SAN) and either the User Principal Name (UPN) or the email address value in the certificate’s Subject information.
For attribution-name {email | UPN}, select UPN or email.
In certificates issued in a Windows environment, the certificate’s SAN and UPN contain the username. For example:
username@domain
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation.
SAN
attribution-name {email | UPN}
Use one of the following options to specify the certificate information that FortiWeb uses to determines the client username:
email — The email address value in the certificate’s Subject information.
For field-name {subject | SAN}, specify subject or SAN.
UPN — The User Principal Name (UPN) value.
For field-name {subject | SAN}, specify SAN.
Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN.
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation.
UPN
delegated-spn <delegated-spn_str>
Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule.
A service principal name uses the following format:
<service_type >/<instance_name>:<port_number>/
<service_name>
For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM.
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos or kerberos-constrained-delegation.
No default.
keytab-file <keytab_file>
Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients.
See “config waf site-publish-helper keytab_file”.
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation.
No default.
delegator-spn <delegator-spn_str>
Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>.
This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients.
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation.
No default.
prefix-support {enable | disable}
Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain <prefix-domain_str>.
In some environments, the domain controller requires users to log in with the username format domain\username. For example, if the domain is example.com and the username is user1, the user enters EXAMPLE\user1.
Alternatively, enable this option and enter EXAMPLE for prefix-domain <prefix-domain_str>. The user enters user1 for the username value and FortiWeb automatically adds EXAMPLE\ to the HTTP Authorization: header before it forwards it to the web application.
Available only when auth-delegation {http-basic | kerberos  | kerberos-constrained-delegation | no-delegation} is http-basic or kerberos.
enable
prefix-domain <prefix-domain_str>
Enter a domain name that FortiWeb adds to the HTTP Authorization: header before it forwards it to the web application.
Available only when prefix-support {enable | disable} is enabled.
If auth-delegation is kerberos, ensure that the string is the full domain name (for example, example.com).
No default.
sso-domain <domain_str>
Type the domain suffix of Host: names that will be allowed to share this rule’s authentication sessions, such as .example.com. Include the period ( . ) that precedes the host’s name.
No default.
sso-support {enable | disable}
Enable for single sign-on support.
For example, if this web site is www1.example.com and the SSO domain is .example.com, once a client has authenticated with that site, it can access www2.example.com without authenticating a second time.
Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall.
disable
alert-type {all | fail | none | success}
Select which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about.
all
fail
success
none
Event log messages contain the user name, authentication type, success or failure, and source address (for example, User jdoe [Site Publish] login successful from 172.0.2.5) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, User hackers [Site Publish] login failed from 172.0.2.5).
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
none
Example
This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.
config waf site-publish-helper rule
edit "Outlook"
set published-site ^*\.example\.edu
set ldap-server "LDAP query 1"
set auth-delegation http-basic
set sso-support enable
set sso-domain .example.edu
set path /owa
set alert-type fail
set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff
next
edit "Sharepoint"
set published-site ^*\\.example\\.edu
set req-type regular
set radius-server "RADIUS query 1"
set auth-delegation http-basic
set sso-support enable
set sso-domain .example.edu
set path /sharepoint
set alert-type fail
next
end
config waf site-publish-helper policy
edit "example_com_apps"
config rule
edit 1
set rule-name Outlook
next
edit 2
set rule-name Sharepoint
next
end
next
end
Related topics
config waf site-publish-helper policy
config log trigger-policy
config server-policy allow-hosts
config waf web-protection-profile inline-protection