On the Webserver Protection > Reverse Authentication > Profiles tab, you specify authentication profiles for the web application firewall. With profiles you can assign different authentication settings to different users or user groups. After specifying the authentication profiles, you can assign them to site path routes on the Web Application Firewall > Site Path Routing tab.

To add an authentication profile, do the following:

  1. On the Profiles tab, click New Authentication Profile.

    The Add Authentication Profile dialog box opens.

  2. Specify the following settings:

    Name: Enter a descriptive name for the profile.

    Virtual Webserver: Here you can configure the profile settings for the virtual webserver.

    Mode: Select how the users should authenticate at the Web Application Firewall.

    Basic: Users authenticate with HTTP basic authentication with their username and password. The credentials are sent unencrypted, so you should turn on HTTPS. The WAF generates no session cookies which means that user can't specifically log out.

    Form: The WAF presents a form to users where they have to enter their credentials. The WAF generates session cookies and users can log out.

    If you want to use one-time passwords (OTP), select Form. OTP relies on user sessions, which are only available with form-based authentication.

    Form template: Select the form template that will be presented to the users for authentication. There is a default form template available. New form templates can be created on the Customization > Form Templates page.

    Basic prompt: The realm is a unique string that provides additional information on the login page and is used for user orientation.

    Note – These characters are allowed for the Basic prompt: A-Z a-z 0-9 , ; . : - _ ' + = ) ( & % $ ! ^ < > | @

    Users/Groups: Select the users or user groups or add new users or user groups that should be assigned to this authentication profile. After assigning this profile to a site path route, these users will have access to the site path with the authentication settings defined in this profile. Typically, this would be a backend user group. How to add users is explained on the Definitions & Users > Users & Groups > Users page. How to add a user group is explained on the Definitions & Users > Users & Groups > Groups page.

    Note – Sometimes users should be required to use the User Principal Name notation 'user@domain' when entering their credentials, for example when using Exchange servers in combination with Active Directory servers. How to use User Principal Name notation is explained on the Definitions & Users > Authentication Services > Servers > Active Directory page.

    Redirect to requested URL (only for virtual webserver mode Form): Redirects the user to the path defined in the corresponding site path routing profile.

    Real Webserver: Here you can configure the profile settings for the real webserver.

    Mode: Select how the Web Application Firewall authenticates against the real webservers. The mode has to match the real webservers authentication settings.

    Basic: Authentication works with HTTP basic authentication, providing username and password.

    None: There is no authentication between WAF and the real webservers. Note that even if your real webservers do not support authentication, users will be authenticated via the frontend mode.

    Username affix: Select an affix for the username. You can select Prefix, Suffix or both. Affixes are useful when working with domains and email addresses.

    Prefix: Enter a Prefix for Username.

    Suffix: Enter a Suffix for Username.

    Note – Prefix and suffix will be added automatically if users enter their username. Prefix and suffix will not be added if the users enter it. Example: If the suffix is and a user enters their username test.user the suffix will be added. If they enter the suffix will be ignored.

    Remove Basic Header: If you select this option the basic header will not be sent from Sophos UTM to the real webserver.

    User Session (only for virtual webserver mode Form): Here you can configure the timeout settings for user sessions.

    Session timeout: Select this option to enable a timeout for the user session which will confirm user credentials by having them log in again if they do not perform any action on the Virtual Webserver.

    Limit to: Set an interval for the session timeout.

    Session timeout scope: Set the scope to day(s), hour(s) or minute(s).

    Session lifetime: Select this option to enable a hard limit for how long users may remain logged in, regardless of activity in the mean time.

    Limit to: Set an interval for the session lifetime value.

    Session lifetime scope: Set the scope to day(s), hour(s) or minute(s).

    Allow persistent sessions: If enabled, WAF authentication uses cookies for a persistent session. A checkbox is visible for end users on the login form to enable persistent session cookies. If the end users enable the checkbox on the login form, a persistent session cookie is created for the users upon login. WAF authentication uses session cookies for a short-lived session if Allow persistent sessions is disabled or the end users do not enable the checkbox on the login form.

    Logout (only for virtual webserver mode Form): Here you can provide a logout function for the user session.

    Mode: Select how users can log out from the session.

    None: Users have no option to log out.

    Delegation: Users log out by predefined URLs. For example, /logout. Add URLs that the users need to log out.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new profile appears on the Profiles list.

    Caution – When using Reverse Authentication in combination with OTP the OTP tokens will only be checked once when a user session is set up. Once a session is set up, any subsequent request by the same user will not have their OTP tokens evaluated. This is because malicious users might exploit the OTP configuration by sending an overwhelming amount of requests to authentication protected paths, thereby invoking OTP checks and effectively running a DoS attack on the authentication daemon. Passwords and all other request aspects will still be checked to match the configuration.

To either edit or delete a profile, click the corresponding buttons.

Cross Reference – Find information about configuring Reverse Authentication and differences between the versions in the Sophos Knowledge Base.

Reverse Authentication: Users/Groups

Sometimes it is necessary for users to use the format user@domain when entering their credentials, e.g. when using an Exchange server in combination with Active Directory servers. In this case there are additional steps to take:

  1. From the WebAdmin menu, open the Definition & Users > Authentication Services > Servers tab.

    The Servers tab is displayed.

  2. On the Servers tab, click the Clone button of the desired Active Directory server.

    A new server will be created.

  3. Change the field Backend to LDAP.
  4. Change the User attribute field to >.
  5. In the Custom field enter userPrincipalname.

If not present already, this will set up an LDAP Users group which you will need to use instead of the Active Directory Users group.

Note – The format domain\user is not supported. Use the format user@domain instead.