Fortinet 5.0 Patch 6 Offloading HTTP authentication & authorization

Fortinet 225 FortiWeb 5.0 Patch 6 Administration Guide

Offloading HTTP authentication & authorization

If a web site does not support RFC 2617 HTTP authentication on its own, nor does it provide

HTML form-based authentication, you can use a FortiWeb appliance to authenticate

HTTP/HTTPS clients before they are permitted to access a web page.

Authentication can use either:

• locally-defined accounts

• remotely-defined accounts whose credentials are confirmed with the authentication server

via LDAP queries, RADIUS queries, and/or NTLM queries

Based upon the:

• end-user’s confirmed identity

•URL she or he is requesting

FortiWeb then applies rules for that account to determine whether or not to authorize each of

the user’s HTTP/HTTPS requests.

HTTP-based authentication provided by your FortiWeb can be used in conjunction with a web

site that already has authentication. However, it is usually used as a substitute for a web site

that lacks it, or where you have disabled it in order to offload it to the FortiWeb for performance

reasons.

To configure and activate end-user accounts

1. Define user accounts in either or both of the following ways:

• If you want to define end-user accounts on the FortiWeb, create a user name and

password record for each user. See “Configuring local end-user accounts” on page 227.

• If end-user account credentials are already defined on a remote authentication server,

configure a query to that server. See “Configuring LDAP queries” on page 228,

“Configuring RADIUS queries” on page 233, or “Configuring NTLM queries” on page 235 .

2. Group accounts and queries to create user groups. See “Grouping users” on page 236.

User authentication is not supported in all operation modes. See “Supported features in each

operation mode” on page 62.

Some compliance schemes, including PCI DSS, require that each person have sole access to

his or her account, and that that account be restricted from sensitive data such as cardholder

information unless it has a business need-to-know. Be aware of such requirements before you

begin. This can impact the number of accounts that you must create, as well as the number and

scope of authorization rules. Violations can be expensive in terms of higher processing fees,

being barred from payment transactions, and, in case of a security breach, penalties of up to

$500,000 per non-compliance.

Alternatively or additionally, you can require the end-user to present a personal certificate in

order to securely authenticate. See “How to apply PKI client authentication (personal

certificates)” on page 293.