Create own Reverse Authenication WebSite front of WebApplication

TBC · ‎01-27-2022

Hello dear forum community,

I am quite new to Fortiweb and therefore ask for some indulgence.

Have set up access via LDAPs to the AD
Access to a simple website using server pool and virtual server.

What I need is the following:
Access to WebApplication with upstream login page via Reverse Authenication and LDAP user/group.
Once the login is done, the login to the web application should be done automatically.

How can I create my own "upstream" web pages for reverse authentication.

Under System - Config - Replaycement Messages I found something, but I can't edit any of the preset pages like the login page.

If someone has a simple example, that would be great

wrbgrds TBC

Ps. greetings from Germany

abelio · ‎01-28-2022

Hello and welcome to the forum,

your question covers different aspects you'll need put altogether sequentially ordered.

HTTP authentication is a bit limited for your needs, so go for Site Publishing directly.

One possible sequence could be:

1- Define (and test ) your LDAP auth scheme.
User -> Remote Server -> LDAP server. ( for AD, Fortinet recommends 3269 or 636 as Server Port to user transmit credentials)

2- Define an authentication server pool (Application Delivery -> Site Publish -> Authentication Server Pool) and add LDAP server defined in 1)

3- Application Delivery -> Site Publish -> Site Publish Rule
Everything is adjusted here according to your specific web application (path, urls , auth delegation -or not- to html form etc)

As many things in fortiweb, to be able to use a rule, you have to put it in a policy.
So, define a site publishing policy and include in it your(s) site publishing defined rule(s).

4- Then, you can use site publishing policy in your web protection profile
(Policy->Web Protection Profile -> Inline Protection Profile-> (your Web prot prof) ->Applic Delivery -> Site Publish)

5- Finally, that web protection profile is applied in the relevant Server Policy publishing your application.

There are some other adjusts to take in consideration, as importing certificates if you want to use (as said) LDAPs, session management enabled , etc, but in general terms, this sequence could be a way to do it.

Best regards

regards

/ Abel

TBC · ‎01-31-2022

Hello Abelio,

many many thnk's for helping!

Step 3. was that one i missing, after configure that, a authenication of AD-User was possible!

There is one more oben issue on that:

What i need to do to have a Login page instant of a login Popup.

As i worte before the editing of System - Config - Replaycement Messages is not posible. I using admin user for that.

What i like to to is something like this:

Is that one possible?

many many thank's!!!

Have good start in the week

greetings TBC

TBC · ‎02-07-2022

Hello @All,

we have find out how we can modifiy our one login page by duubel click of login page.

We have also generate our new login page under "System/Config/Replacement Messagege" based on tamplate.

Under "Policy/Server Policy" we add the "Replacement Messagege"

But if we open the URL we only get the login Popup

What we doing wrong?

Is there anything else what we need to do?

Many thank's

TBC

TBC · ‎02-15-2022

Is there no one how can help?

Many thank's

TBC