Fortinet 5.0 Patch 6

Fortinet 493 FortiWeb 5.0 Patch 6 Administration Guide

Certificate

Verification

Select the name of a certificate verifier, if any, to use when an HTTP

client presents its personal certificate. (If you do not select one, the

client is not required to present a personal certificate. See also “How

to apply PKI client authentication (personal certificates)” on

page 293.)

Personal certificates, sometimes also called user certificates,

establish the identity of the person connecting to the web site (PKI

authentication).

You can require that clients present a certificate alternatively or in

addition to HTTP authentication (see “Offloading HTTP authentication

& authorization” on page 225).

This option appears only if an HTTPS Service is selected, and only

applies if the FortiWeb appliance is operating in reverse proxy mode.

(For transparent proxy mode, configure this setting in the server farm

instead. See Certificate Verification in “Grouping your web servers

into server farms” on page 256.)

Note: The client must support SSL 3.0 or TLS 1.0.

Client Certificate

Forwarding

Enable to include the X.509 personal certificate presented by the

client during the SSL/TLS handshake, if any, in an X-Client-Cert:

HTTP header when forwarding the traffic to the protected web server.

FortiWeb will still validate the client certificate itself, but this can be

useful if the web server requires the client certificate for the purpose

of server-side identity-based functionality.

This option appears only if a Certificate Verification rule is selected.

Certificate

Intermediate

Group

Select the name of a group of intermediate certificate authority (CA)

certificates, if any, that will be presented to clients in order to

complete the signing chain for them to validate the server certificate’s

CA signature.

If clients receive certificate warnings that the server certificate

configured in Certificate has been signed by an intermediary CA,

rather than directly by a root CA or other CA currently trusted by the

client, configure this option.

Alternatively, include the entire signing chain in the server certificate

itself before uploading it to the FortiWeb appliance, thereby

completing the chain of trust with a CA already known to the client.

See “Uploading a server certificate” on page 289 and

“Supplementing a server certificate with its signing chain” on

page 291.

This option appears only if HTTPS Service is enabled and the

FortiWeb appliance is operating in reverse proxy mode.

Persistence

Timeout

Type the timeout for inactive TCP connections.

This option appears only if Deployment Mode is Server Balance or

Transparent Servers.

Setting name Description