www.fortinet.com 1

Tech Brief

Use FortiWeb to Publish Applications Replacing Microsoft TMG with a FortiWeb Web Application Firewall

Version 0.2, 27 June 2014 FortiWeb Release 5.2.0

Introduction

This document is intended for persons who have some FortiWeb experience or have fundamental knowledge of Web Application Firewalling and the HTTP Protocol.

It will give step-by-step instructions to configure FortiWeb to use an independent pre-authentication for web applications. This kind of setup is widely implemented using Microsoft’s Threat Management Gateway (TMG), which has been discontinued by the Microsoft.

FortiWeb as a Web Application Firewall (WAF) introduces another significant advantage to pre-authentication, with it’s built in security features it can secure the application after a successful login and also provide SSO (Single Sign On) capabilities.

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 2

FortiWeb Basics

In a FortiWeb configuration, every protected (published) Application is configured in a “Server Policy”. This policy refers to several other configuration objects, like

• Virtual Server: The IP Address FortiWeb listens to for this service

• Physical Server: The IP Address(es) of the backend servers

• Certificate: Certificate to use for SSL Encryption

• Web Protection Profile: Contains all security related configuration and refers to multiple other configuration objects.

The letters refer to the corresponding paragraph in the following section.

Configuration

We assume that all IP addresses, routing and DNS information has been configured. Furthermore it is required that FortiWeb runs in “Reverse Proxy” mode.

The configuration will be done bottom-up, in other words – we will start with the configuration objects that are the leaves of the configuration tree and work up until we reach the “Server Policy” which links all the configuration objects together.

a. LDAP

The LDAP configuration can be found under User / Remote Server / LDAP Server in the navigation

menu on the left side. Create a new server profile by clicking the plus sign ( ).

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 3

Fill in the required information:

In this scenario we need the user to enter the full mail address, therefor we refer to the Active Directory field “userPrincipalName”. Depending on the application you are going to publish, you might need other login information from the user.

TIP on how to find the Distinguished Name field. On the domain controller start the tool: adsiedit.msc, select from the top menu: Action >> Connect to. Click OK. Browse to the CN=Users folder. Select a user, f.e. CN=Administrator and select properties. Scroll down to Distinguished Name field. Use these values in FortiWeb.

b. Site Publishing Rule

The Site Publishing Rule can be created under Application Delivery / Site Publish / Rule.

After creating a new rule, enter the required information:

Name is a unique identifier for the rules. Published Site and Path distinguish if FortiWeb will capture the traffic and force the pre-authentication. In case of OWA the path starts with /owa. The URL the user is trying to access is therefor: HTTPS://mail.fortiweb.lab/owa, which are the first two parameters.

FortiWeb uses the logoff path to logoff a user. This is an optional field. For Outlook Web Access it is: /owa/logoff.owa

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 4

The authentication input from the user can be requested via HTTP Basic Authentication or this predefined form:

Next, select the LDAP profile you have already created.

Authentication Delegation determines if FortiWeb will send the credentials entered by the user to the backend server. At this time there are two possibilities:

• No Delegation (show login from backend server).

• HTTP Basic (HTTP Basic Authentication to the Backend Server).

FortiWeb will store the credentials for the length of the session and can therefor forward the credentials to other application servers without requiring the user to re-enter the password if SSO Support is enabled and SSO Domain defined.

Alert Type filters which logon events will be written to the event log: None / Failed only / Successful only / all

c. Site Publish Policy

The Site Publish Policy will be referred by the Web Protection Profile and allows to use multiple Site Publish Rules in one Web Protection Profile.

It can be accessed via Application Delivery / Site Publish / Site Publish Policy.

After creating a new entry, enter the name of the policy and click OK. After that, multiple Site Publish Rules can be added.

d. X-Forwarded-For

FortiWeb is running as a reverse proxy. This implies that all connections from the FortiWeb to the backend server will have the IP address of one of FortiWeb’s interfaces as source address.

To have the end user IP address in the log of the backend server, the IP address of the client can be forwarded as X-Forwarded-For header data in the request.

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 5

Select Server Objects / X-Forwarded-For / X-Forwarded-For and create a new entry.

Enter a name and select “Add X-Forwarded-For”. FortiWeb allows multiple other and flexible ways to incorporate this information in the HTTP header.

e. Inline Protection Profile

Create a new Inline Protection Profile in the menu structure Policy / Web Protection Profile / Inline Protection Profile.

Select a name, enable Session Management and select the X-Forwarded-For profile.

Scroll down to Site Publish and select the relevant profile.

f. Virtual Server

Create a new entry under Server Objects / Server / Virtual Server. Fill in the IP address that FortiWeb should listen for connections from the internet:

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 6

g. Physical Server

Create a new entry under Server Objects / Server / Physical Server. Enter the IP address of the server that runs the published application:

h. Certificates

Certificates can be uploaded or CSR’s generated under System / Certificates / Local. If you have an official, signed certificate you will need to upload the certificate of the signing authority (CA) and – depending on your authority – the Intermediate CA’s as well.

The FortiWeb documentation is available at http://docs.fortinet.com/fweb.html. The chapter about certificate handling starts with page 279.

i. Server Policy

The last step is now putting all the pieces together in the server policy. Open Policy / Server Policy / Server Policy and create a new entry.

Select all the previously configured options

• Virtual Server

• Physical Server

• Certificate

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 7

• Web Protection Profile

• and click OK.

FortiWeb is now listening on the specified address and will intercept connections going to the defined URL (in this example https://mail.fortiweb.lab/owa ) and force a successful authentication before the client can send any further request to the application server.

Additional security can be configured, but this is out of scope for this document.

How to configure Microsoft TMG features on FortiWeb

www.fortinet.com 8

Changes to be made on Outlook Web Access side:

• Log in to https://url.to.owa.server/ecp

• Go to servers >> virtual directories

• Select ‘owa’ and click the little pencil icon

• Select ‘authentication’ and change value as shown below

• Select save

• Outlook Web Access administration now prompts to make the same change to the /ecp virtual folder

• Select ‘ecp’ and make the same change

GLOBAL HEADQUARTERSFortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +1.408.235.7700Fax: +1.408.235.7737www.fortinet.com/sales

EMEA SALES OFFICE120 rue Albert Caquot06560, Sophia Antipolis, FranceTel: +33.4.8987.0510Fax: +33.4.8987.0501

APAC SALES OFFICE300 Beach Road 20-01The ConcourseSingapore 199555Tel: +65.6513.3730Fax: +65.6223.6784

LATIN AMERICA SALES OFFICEProl. Paseo de la Reforma 115 Int. 702Col. Lomas de Santa Fe,C.P. 01219 Del. Alvaro ObregónMéxico D.F.Tel: 011-52-(55) 5524-8480

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s *HQHUDO�&RXQVHO��ZLWK�D�SXUFKDVHU�WKDW�H[SUHVVO\�ZDUUDQWV�WKDW�WKH�LGHQWL¿HG�SURGXFW�ZLOO�SHUIRUP�DFFRUGLQJ�WR�FHUWDLQ�H[SUHVVO\�LGHQWL¿HG�SHUIRUPDQFH�PHWULFV�DQG��LQ�VXFK�HYHQW��RQO\�WKH�VSHFL¿F�SHUIRUPDQFH�PHWULFV�H[SUHVVO\�LGHQWL¿HG�LQ�VXFK�ELQGLQJ�ZULWWHQ�FRQWUDFW�VKDOO�EH�ELQGLQJ�RQ�)RUWLQHW��)RU�DEVROXWH�FODULW\��DQ\�VXFK�ZDUUDQW\�ZLOO�EH�OLPLWHG�WR�SHUIRUPDQFH�LQ�WKH�VDPH�LGHDO�FRQGLWLRQV�DV�LQ�)RUWLQHW¶V�LQWHUQDO�lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.