Publish OWA using FortiWeb

You can use FortiWeb’s site publishing features to authorize clients that want to connect to web applications such as Microsoft’s Outlook Web App (OWA).

This site publishing feature can replace the web publishing functionality provided by Microsoft’s Threat Management Gateway (TMG). FortiWeb also provides additional security features that protect the application after a successful login.

You create the FortiWeb configuration that publishes and protects web applications using a server policy.

A server policy is made up of several other configuration objects, including:

  • Web protection profile — A set of security-related configuration objects.
  • Virtual server — The IP address where FortiWeb receives client requests for access to the web application.
  • Server pool  — A backend server or servers where the web application is located.
  • Certificate — Certificate to use for SSL encryption.

The numbers in the illustration correspond to the recipe instructions for the configuration objects.

This recipe assumes that:

  • Basic configuration is complete, including IP addresses, routing, and DNS information.
  • The operating mode is reverse proxy (the destination for requests for the web application is a virtual server IP address on FortiWeb, not the back-end server where the application resides)

FortiWeb configuration

 1. LDAP query

 Go to User > Remote Server > LDAP Server and create a new entry.

In this example, users log in using their full mail address. Therefore, the Common Name Identifier value is the Active Directory field userPrincipalName.

(Other applications or configurations may require different login information.)

To obtain the Distinguished Name field:

  1. On the domain controller, start the adsiedit.msc tool.
  2. Click Action > Connect to.
  3. Click OK.
  4. Browse to the CN=Users folder.
  5. Select a user (for example, CN=Administrator) and then select its properties.
  6. Scroll down to Distinguished Name field to view the value to use in FortiWeb.

For more information on creating the LDAP query, see LDAP query best practices and tips.


 2. Site publish rule 

Go to Application Delivery > Site Publish > Site Publish Rule

Name is a unique identifier for the rule.

Published Site and Path specify the URL the client uses to access OWA. FortiWeb intercepts requests for this URL and forces the clients to pre-authenticate.

Because the path for OWA starts with /owa, the URL  is:


Published Server Log Off Path specifies the path FortiWeb uses to log off a user. For OWA, it is /owa/logoff.owa.

Client Authentication Method specifies how FortiWeb prompts the client to enter the authentication credentials. For example, via HTTP Basic Authentication or a predefined form (shown at right).

LDAP Server is the LDAP configuration you created earlier.

Authentication Delegation specifies whether FortiWeb sends the credentials the client enters to the back-end server. 

For example, select No Delegation when the web application has no authentication of its own or uses HTML form-based authentication. Select HTTP Basic Authentication to use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application.

Because FortiWeb stores the credentials for the length of the session, it can forward the credentials to other application servers without requiring the client to re-enter the password. To enable this functionality, select SSO Support and specify an SSO Domain value.

Alert Type specifies which logon events FortiWeb writes to event log (none, failed only, successful only, or all).


3. Site publish policy  

You add use a site publish policy to add site publish rules to a web protection profile. The site publish policy allows you to add multiple site publish rules to a policy.

To create a new policy, go to Application Delivery > Site Publish > Site Publish Policy. Create a new entry, enter the policy name, and then click OK. Then, you can add one or more site publish rules to the policy.



4. X-Forwarded-For rule


Because the operating mode is reverse proxy, the source address of all connections from the FortiWeb to the back-end server is the IP address of one of the FortiWeb interfaces.

To provide the client IP address in the log of the back-end server, you can forward the client IP address of the client in the request in a X-Forwarded-For: header.

Go to Server Objects > X-Forwarded-For > X-Forwarded-For and create a new entry. Enter a name and select Add X-Forwarded-For.

(These settings also provide alternative methods to include this information in requests.)


 5. Web protection profile 


Go to Policy > Web Protection Profile > Inline Protection Profile.

Instead of creating a new profile, you can clone the predefined profile for Exchange 2013, and then configure the cloned profile to suit your environment.

Enter a name, enable Session Management and select the X-Forwarded-For profile you created earlier.

 At the bottom of the profile configuration, under Application Delivery, for Site Publish, select the site publish policy that you created earlier.  

6. Virtual server

Go to Server Objects > Server > Virtual Server and create a new entry that specifies the IP address that FortiWeb listens to for connections from the Internet.

7. Server pool

Go to Server Objects > Server > Server Pool. Create a new pool that is a single server pool (the default). Then, add a new pool member by specifying the IP address of the server that runs the published application.

8. Certificates

To upload certificates or generate certificate signing requests, go to  System > Certificates > Local.

If you have an official, signed certificate, upload the certificate of the signing authority (CA). Depending on your authority, you also upload the Intermediate CAs.

The FortiWeb Administration Guide includes detailed information about uploading certificates. For example, see “How to offload or inspect HTTPS”.

9. Server policy

Go to Policy > Server Policy > Server Policy and create a new entry.

Select the configuration objects that you created earlier:

  • Virtual server
  • Server pool
  • Certificate
  • Web protection profile (inline)

FortiWeb is now listens on the specified IP address and intercepts connections destined for the URL defined in the site publishing rule (in this example, https://mail.fortiweb.lab/owa). The client must successfully complete authentication before it can send any further requests to the application server.

You can configure additional security features, but these are outside the scope of this recipe.


Outlook Web App configuration

Log in to the Exchange Control Panel. The default URL is:


Go to servers > virtual directories.

Select the owa entry, and then click the pencil icon (edit).


Select authentication, and then select Use one or more standard authentication methods and Basic authentication.

Select Save.

Outlook Web Access administration prompts to make the same change to the /ecp virtual folder.

Select the ecp entry and make the same setting changes as you did for the owa entry.


LDAP query best practices and tips

In most cases, the AD attribute sAMAccountName is the container used for authentication and the appropriate value for Common Name Identifier.

However, in some environments, the userPrincipalName (email address) is the required or preferred container (for example, for networks that use a  domain forest).

For Server Port:

  • To search for AD objects more efficiently, specify 3268 instead of the default LDAP port 389.
  • Fortinet recommends that you transmit user credentials securely by specifying 3269 (for more efficient searching) or the LDAP port 636.

Distinguished Name specifies the Base DN from which to start the LDAP query.

Filter allows you to improve the speed and efficiency of the queries. If Common Name Identifier is userPrincipalName, use that attribute in the Filter value.

If the query does not work when you specify the LDAP Distinguished Name for User DN, use the UPN (User Principle Name) instead. 

In most cases, the UPN (Email  Address) format produces the best results.


Search Filter  – (&(objectCategory=person)(objectClass=user)(sAMAccountName=*))

For Windows 2003 SP2 and later, the filter can use the string identifier LDAP_MATCHING_RULE_IN_CHAIN (Matching rule OID 1.2.840.113556.1.4.1941). For example:


The following example filter matches multiple groups:



The example filters that follow are based on the following example environment:

Directory: DC=domain,DC=com

+ Test_Users


——–Matthew Vassallo (user)


——–Kenneth Grech (user)


Query multiple groups (method 1)


Query multiple groups (method 2)



Query all users by sAMAccount type

Exclude users in a specific group from the query (!(memberOf=cn=TestGroup,OU=Groups,DC=DOMAIN,DC=com))

Query for non-disabled users in a group

 (&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

For further reading, check out “Users” in the FortiWeb Administration Guide.