Variable | Description | Default |
<site-publish-rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
status {enable | disable} | Enable to activate this rule. This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy. | enable |
req-type {plain | regular} | Select whether published-site <host_fqdn> contains a literal FQDN (plain), or a regular expression designed to match multiple host names or fully qualified domain names (regular). | plain |
published-site <host_fqdn> | Depending on your selection in req-type {plain | regular}, type either: • the literal Host: name, such as sharepoint.example.com, that the HTTP request must contain in order to match the rule. • a regular expression, such as ^*\.example\.edu, matching all and only the host names to which the rule should apply. The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide. | No default. |
path <url_str> | Type the URL of the request for the web application, such as /owa. It must begin with a forward slash ( / ). | No default. |
client-auth-method {html-form-auth | http-auth | client-cert-auth} | Specify one of the following options: • html-form-auth — FortiWeb authenticates clients by presenting an HTML web page with an authentication form. • http-auth — FortiWeb authenticates clients by providing an HTTP AUTH code so that the browser displays its own dialog.return an HTTP AUTH code so that the browser displays its own dialog. • client-cert-auth — FortiWeb validates the HTTP client’s personal certificate using the certificate verifier specified in the associated server policy or server pool configuration. Used when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos or no-delegation. Note: This option requires you to select a value for ssl-client-verify <verifier_name> in the server policy or certificate-verify <verifier_name> in the server pool configuration. | html-form-auth |
Published-Server-Logoff-Path <url_str> | Optionally, type the URL of the request that a client sends to log out of the application, such as: /owa/auth/logoff.aspx?Cmd=logoff When logging out of the web application, the client will be redirected to FortiWeb’s authentication dialog. This setting appears only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth. | No default. |
cookie-timeout <timeout_int> | Specify the length of time that passes before the cookie that the site publish rule adds expires and the client must re-authenticate. Valid values are from 0 to 3600 hours. To configure the cookie with no expiration, specify 0 (the default). The browser only deletes the cookie when the user closes all browser windows. | 0 |
auth-method {ldap | radius} | Depending on which query you want to use to authenticate clients, select either LDAP or RADIUS. | ldap |
ldap-server <query_name> | Type the name of the authentication query that FortiWeb will use to pass credentials to your authentication server. | No default. |
radius-server <query_name> | Type the name of the authentication query that FortiWeb will use to pass credentials to your authentication server. | No default. |
rsa-securid {enable | disable} | Specify whether FortiWeb authenticates clients using a username and a RSA SecurID authentication code only. Users are not required to enter a password. When this option is enabled, the authentication delegation options in the site publish rule are not available. Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth and auth-method {ldap | radius} is radius. | disable |
auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} | Specify one of the following options: • http-basic — Use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application. Typically, you should select this option if the web application supports HTTP protocol-based authentication. Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth or http-auth. • kerberos — After it authenticates the client via the HTTP form or HTTP basic method, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding. Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is html-form-auth or http-auth. • kerberos-constrained-delegation — After it authenticates the client’s certificate, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP Authorization: header of the client request with Base64 encoding. Available only if client-auth-method {html-form-auth | http-auth | client-cert-auth} is client-cert-auth. • no-delegation — FortiWeb does not send the client’s credentials to the web application. Select this option when the web application has no authentication of its own or uses HTML form-based authentication. Note: If the web application uses HTML form-based authentication, the client is required to authenticate twice: once with FortiWeb and once with the web application’s form. Not available when rsa-securid {enable | disable} is enable. | no-delegation |
field-name {subject | SAN} | Use one of the following options to specify the certificate information that FortiWeb uses to determines the client username: • subject — The email address value in the certificate’s Subject information. For attribution-name {email | UPN}, select email. • SAN — The certificate’s subjectAltName (Subject Alternative Name or SAN) and either the User Principal Name (UPN) or the email address value in the certificate’s Subject information. In certificates issued in a Windows environment, the certificate’s SAN and UPN contain the username. For example: username@domain Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation. | SAN |
attribution-name {email | UPN} | Use one of the following options to specify the certificate information that FortiWeb uses to determines the client username: • email — The email address value in the certificate’s Subject information. • UPN — The User Principal Name (UPN) value. For field-name {subject | SAN}, specify SAN. Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation. | UPN |
delegated-spn <delegated-spn_str> | Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule. A service principal name uses the following format: <service_type >/<instance_name>:<port_number>/ <service_name> For example, for an Exchange server that belongs to the domain dc1.com and has the hostname USER-U3LOJFPLH1, the SPN is http/USER-U3LOJFPLH1.dc1.com@DC1.COM. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos or kerberos-constrained-delegation. | No default. |
keytab-file <keytab_file> | Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation. | No default. |
delegator-spn <delegator-spn_str> | Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>. This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is kerberos-constrained-delegation. | No default. |
prefix-support {enable | disable} | Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain <prefix-domain_str>. In some environments, the domain controller requires users to log in with the username format domain\username. For example, if the domain is example.com and the username is user1, the user enters EXAMPLE\user1. Alternatively, enable this option and enter EXAMPLE for prefix-domain <prefix-domain_str>. The user enters user1 for the username value and FortiWeb automatically adds EXAMPLE\ to the HTTP Authorization: header before it forwards it to the web application. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | no-delegation} is http-basic or kerberos. | enable |
prefix-domain <prefix-domain_str> | Enter a domain name that FortiWeb adds to the HTTP Authorization: header before it forwards it to the web application. Available only when prefix-support {enable | disable} is enabled. If auth-delegation is kerberos, ensure that the string is the full domain name (for example, example.com). | No default. |
sso-domain <domain_str> | Type the domain suffix of Host: names that will be allowed to share this rule’s authentication sessions, such as .example.com. Include the period ( . ) that precedes the host’s name. | No default. |
sso-support {enable | disable} | Enable for single sign-on support. For example, if this web site is www1.example.com and the SSO domain is .example.com, once a client has authenticated with that site, it can access www2.example.com without authenticating a second time. Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall. | disable |
alert-type {all | fail | none | success} | Select which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about. • all • fail • success • none Event log messages contain the user name, authentication type, success or failure, and source address (for example, User jdoe [Site Publish] login successful from 172.0.2.5) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, User hackers [Site Publish] login failed from 172.0.2.5). Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. | none |