Device Configuration : Protect : Web Server : Authentication Policies : Add Web App Authentication
Add Web App Authentication
This page describes how to add a web app authentication profile.
1. Go to Device Configuration > Protect > Web Server > Authentication Policies and click Add.
2. Enter values for the following settings:
Enter a descriptive name for the web app authentication profile.
Enter a description or other information.
3. Make the settings for the Client Authentication.
Select how the users should authenticate at the Web Application Firewall.
Basic: Users authenticate with HTTP basic authentication, entering username and password. As the credentials are sent unencrypted with this mode, it should be used over HTTPS. With this mode, no session cookies will be generated and a dedicated logout is not possible.
Form: Users will be presented a form where they have to enter their credentials. With this mode, session cookies will be generated and a dedicated logout is possible. The form template to be used can be selected in the Web App Auth Template list. Besides the default form template, the list shows the forms that have been defined on the Web App Auth Templates page
Basic Prompt
(only with Basic mode)
The realm is a unique string that provides additional information on the login page and is used for user orientation.
* These characters are allowed for the Basic Prompt: A-Z a-z 0-9 , ; . : - _ ' + = ) ( & % $ ! ^ < > | @
Web App Auth Template
Select the form template that will be presented to the users for authentication. Form templates are defined on the Web App Auth Templates page.
User or Groups
Select the users or user groups that should be assigned to this web app authentication profile. After assigning this profile to a site path route, these users will have access to the site path with the authentication settings defined in this profile. Typically, this would be a backend user group.
* Sometimes users should be required to use the User Principal Name notation 'user@domain' when entering their credentials, for example when using Exchange servers in combination with Active Directory servers.
4. Make the settings for the Authentication Forwarding.
Select how the Web Application Firewall authenticates against the real webservers. The mode has to match the webservers authentication settings.
Basic: Authentication works with HTTP basic authentication, providing username and password.
None: There is no authentication between WAF and the webservers. Note that even if your real webservers do not support authentication, users will be authenticated via the frontend mode.
User name affix
(only with Basic Authentication Forwarding mode)
Select an affix for the username and enter it into the concerning field. Affixes are useful when working with domains and email addresses.
Prefix & Suffix
* Prefix and suffix will be added automatically if the user enters their username. Prefix and suffix will not be added if the user enters it. Example: If the suffix is and the user enters their username test.user the suffix will be added. If they enter the suffix will be ignored.
Remove Basic Header
(only with None Authentication Forwarding)
Enable to not send the basic header from Sophos Firewall OS to the real webserver.
5. Make the settings for the User Session.
Session Timeout
Enable to set a timeout for the user session, which will confirm user credentials by having them log in again if they do not perform any action on the virtual webserver.
Limit To
(only if Session Timeout is enabled)
Set an interval for the session timeout. Default is 5 minutes.
Session Lifetime
Enable to set a hard limit for how long users may remain logged in, regardless of activity in the meantime.
Limit To
(only if Session Lifetime is enabled)
Set a value for the session lifetime. Default is 8 hours.
6. Click Save.
The Web App Authentication profile is created and appears in the Web App Authentication list.