Publish OWA using FortiWeb

cookbook.fortinet.com/publish-outlook-web-app-owa-using-fortiweb/

Craig Poile 17/3/2016

Share this post:

You can use FortiWeb’s site publishing features to authorize clients that want to connect
to web applications such as Microsoft’s Outlook Web App (OWA).

This site publishing feature can replace the web publishing functionality provided by
Microsoft’s Threat Management Gateway (TMG). FortiWeb also provides
additional security features that protect the application after a successful login.

You create the FortiWeb configuration that publishes and protects web applications using
a server policy.

A server policy is made up of several other configuration objects, including:

Web protection profile — A set of security-related configuration objects.

Virtual server — The IP address where FortiWeb receives client requests for
access to the web application.
Server pool — A backend server or servers where the web application is located.
Certificate — Certificate to use for SSL encryption.

The numbers in the illustration correspond to the recipe instructions for the configuration
objects.

1/8
This recipe assumes that:

Basic configuration is complete, including IP addresses, routing, and DNS

information.
The operating mode is reverse proxy (the destination for requests for the web
application is a virtual server IP address on FortiWeb, not the back-end server
where the application resides)

FortiWeb configuration

1. LDAP query
Go to User > Remote Server > LDAP Server and create a new entry.

In this example, users log in using their full mail address. Therefore, the
Common Name Identifier value is the Active Directory field
userPrincipalName.

(Other applications or configurations may require different login

information.)

To obtain the Distinguished Name field:

1. On the domain controller, start the adsiedit.msc tool.

2. Click Action > Connect to.
3. Click OK.
4. Browse to the CN=Users folder.
5. Select a user (for example, CN=Administrator) and then select its
properties.
6. Scroll down to Distinguished Name field to view the value to use
in FortiWeb.

For more information on creating the LDAP query, see LDAP query best
practices and tips.

2. Site publish rule

Go to Application Delivery > Site Publish > Site Publish Rule .

Name is a unique identifier for the rule.

Published Site and Path specify the URL the client uses to access
OWA. FortiWeb intercepts requests for this URL and forces the clients
to pre-authenticate.

Because the path for OWA starts with /owa, the URL is:

https://mail.fortiweb.lab/owa

Published Server Log Off Path specifies the path FortiWeb uses to log off
a user. For OWA, it is /owa/logoff.owa.

2/8
Client Authentication Method specifies how FortiWeb prompts the client
to enter the authentication credentials. For example, via HTTP Basic
Authentication or a predefined form (shown at right).

LDAP Server is the LDAP configuration you created earlier.

Authentication Delegation specifies whether FortiWeb sends the

credentials the client enters to the back-end server.

For example, select No Delegation when the web application has no

authentication of its own or uses HTML form-based authentication. Select
HTTP Basic Authentication to use HTTP Authorization: headers with
Base64 encoding to forward the client’s credentials to the web application.

Because FortiWeb stores the credentials for the length of the session, it
can forward the credentials to other application servers without requiring the
client to re-enter the password. To enable this functionality, select SSO
Support and specify an SSO Domain value.

Alert Type specifies which logon events FortiWeb writes to event log (none,
failed only, successful only, or all).

3. Site publish policy

You add use a site publish policy to add site publish rules to a web
protection profile. The site publish policy allows you to add multiple site
publish rules to a policy.

To create a new policy, go to Application Delivery > Site Publish > Site
Publish Policy. Create a new entry, enter the policy name, and then click
OK. Then, you can add one or more site publish rules to the policy.

4. X-Forwarded-For rule

Because the operating mode is reverse proxy, the source address of all
connections from the FortiWeb to the back-end server is the IP address of
one of the FortiWeb interfaces.

To provide the client IP address in the log of the back-end server, you can
forward the client IP address of the client in the request in a X-
Forwarded-For: header.

Go to Server Objects > X-Forwarded-For > X-Forwarded-For and create

a new entry. Enter a name and select Add X-Forwarded-For.

(These settings also provide alternative methods to include this information

in requests.)

5. Web protection profile

3/8
Go to Policy > Web Protection Profile > Inline Protection Profile.

Instead of creating a new profile, you can clone the predefined profile for
Exchange 2013, and then configure the cloned profile to suit your
environment.

Enter a name, enable Session Management and select the X-Forwarded-

For profile you created earlier.

At the bottom of the profile configuration, under Application Delivery, for

Site Publish, select the site publish policy that you created earlier.

6. Virtual server
Go to Server Objects > Server > Virtual Server and create a new entry
that specifies the IP address that FortiWeb listens to for connections from
the Internet.

7. Server pool
Go to Server Objects > Server > Server Pool . Create a new pool that is a
single server pool (the default). Then, add a new pool member by specifying
the IP address of the server that runs the published application.

8. Certificates
To upload certificates or generate certificate signing requests, go to System > Certificates > Local.

If you have an official, signed certificate, upload the certificate of the signing authority ( CA).
Depending on your authority, you also upload the Intermediate CAs.

The FortiWeb Administration Guide includes detailed information about uploading certificates. For
example, see “How to offload or inspect HTTPS”.

9. Server policy

4/8
Go to Policy > Server Policy > Server Policy and create a new entry.

Select the configuration objects that you created earlier:

Virtual server
Server pool
Certificate
Web protection profile (inline)

FortiWeb is now listens on the specified IP address and intercepts

connections destined for the URL defined in the site publishing rule (in this
example, https://mail.fortiweb.lab/owa). The client must successfully
complete authentication before it can send any further requests to the
application server.

You can configure additional security features, but these are outside the
scope of this recipe.

Outlook Web App configuration

Log in to the Exchange Control Panel. The default URL
is:

https://..com/ecp

Go to servers > virtual directories.

Select the owa entry, and then click the pencil icon (edit).

Select authentication, and then select Use one or

more standard authentication methods and Basic
authentication.

Select Save.

Outlook Web Access administration prompts to make the

same change to the /ecp virtual folder.

Select the ecp entry and make the same setting changes
as you did for the owa entry.

LDAP query best practices and tips

5/8
In most cases, the AD
attribute
sAMAccountName is
the container used for
authentication and the
appropriate value
for Common Name
Identifier.

However, in some
environments, the
userPrincipalName
(email address) is the
required or preferred
container (for example,
for networks that use a
domain forest).

For Server Port:

To search for AD
objects Search Filter – (&(objectCategory=person)(objectClass=user)
more efficiently, (sAMAccountName=*))
specify 3268
instead of the
default LDAP
port 389.
Fortinet
recommends that
you transmit user
credentials
securely by
specifying 3269
(for more efficient
searching) or the
LDAP port 636.

Distinguished
Name specifies the
Base DN from which to
start the LDAP query.

Filter allows you to

improve the speed and
efficiency of the
queries. If Common
Name Identifier is
userPrincipalName, use
that attribute in the
Filter value.

If the query does not

work when you specify
the LDAP Distinguished
Name for User DN, use
the UPN (User Principle
Name) instead.

In most cases, the UPN

(Email Address) format
produces the best
results.

6/8
 For Windows 2003 SP2 and later, the filter can use the string identifier
LDAP_MATCHING_RULE_IN_CHAIN (Matching rule OID 1.2.840.113556.1.4.1941). For example:

(memberOf:1.2.840.113556.1.4.1941=(CN=Users*))

The following example filter matches multiple groups:

(&(objectCategory=group)(|(cn=Test*)(cn=Admin*)))

The example filters that follow are based on the following example environment:

Directory: DC=domain,DC=com

+ Test_Users

—–internet_group

——–Matthew Vassallo (user)

—–normal_group

——–Kenneth Grech (user)

Query multiple groups (&(memberOf=CN=*,OU=Test_Users,DC=domain,DC=com)

(method 1) (sAMAccountName=*))

Query multiple groups (&(|

(method 2) (memberOf=CN=normal_group,OU=Test_Users,DC=domain,DC=com)
(memberOf=CN=internet_group,OU=Test_Users,DC=domain,DC=com))
(sAMAccountName=%s))

Query all users by (sAMAccountType=805306368)

sAMAccount type

Exclude users in a (!(memberOf=cn=TestGroup,OU=Groups,DC=DOMAIN,DC=com))

specific group from
the query

Query for non- (&(objectCategory=person)(objectclass=user)

disabled users in a (memberOf=CN=All Europe,OU=Global,dc=company,dc=com) (!
group (userAccountControl:1.2.840.113556.1.4.803:=2)) )

For further reading, check out “Users” in the FortiWeb Administration Guide.

About
Latest Posts

7/8
Craig Poile
Technical Writer at Fortinet
Was this helpful?
Yes No

8/8