Fortinet 225 FortiWeb 5.0 Patch 6 Administration Guide
Offloading HTTP authentication & authorizationIf a web site does not support RFC 2617 HTTP authentication on its own, nor does it provide
HTML form-based authentication, you can use a FortiWeb appliance to authenticate
HTTP/HTTPS clients before they are permitted to access a web page.
Authentication can use either:
• locally-defined accounts
• remotely-defined accounts whose credentials are confirmed with the authentication server
via LDAP queries, RADIUS queries, and/or NTLM queries
Based upon the:
• end-user’s confirmed identity
•URL she or he is requesting
FortiWeb then applies rules for that account to determine whether or not to authorize each of
the user’s HTTP/HTTPS requests.
HTTP-based authentication provided by your FortiWeb can be used in conjunction with a web
site that already has authentication. However, it is usually used as a substitute for a web site
that lacks it, or where you have disabled it in order to offload it to the FortiWeb for performance
reasons.
To configure and activate end-user accounts
1. Define user accounts in either or both of the following ways:
• If you want to define end-user accounts on the FortiWeb, create a user name and
password record for each user. See “Configuring local end-user accounts” on page 227.
• If end-user account credentials are already defined on a remote authentication server,
configure a query to that server. See “Configuring LDAP queries” on page 228,
“Configuring RADIUS queries” on page 233, or “Configuring NTLM queries” on page 235 .
2. Group accounts and queries to create user groups. See “Grouping users” on page 236.
User authentication is not supported in all operation modes. See “Supported features in each
operation mode” on page 62.
Some compliance schemes, including PCI DSS, require that each person have sole access to
his or her account, and that that account be restricted from sensitive data such as cardholder
information unless it has a business need-to-know. Be aware of such requirements before you
begin. This can impact the number of accounts that you must create, as well as the number and
scope of authorization rules. Violations can be expensive in terms of higher processing fees,
being barred from payment transactions, and, in case of a security breach, penalties of up to
$500,000 per non-compliance.
Alternatively or additionally, you can require the end-user to present a personal certificate in
order to securely authenticate. See “How to apply PKI client authentication (personal
certificates)” on page 293.