Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 1932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot access server published through WAF from LAN over Webproxy

layer9

Dear all,

in XG v18 I published a server using WAF with the following rule:

Accessing the server from WAN works fine. Accessing the server from LAN works well too if not using the webproxy. If configuring the webproxy on a LAN client I however cannot access the published server and get the following error:

Within the WAF log I see attempts to access the server but from the APIPA address 169.254.234.5 which I don't use:

Any ideas what might be the issue here and what I have to do in order to allow access to WAF published servers though the webproxy?

Thanks
Michael



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Is there a specific reason for sending traffic through the web proxy(forward proxy) to WAF(reverse proxy)? 

    I would advise you to create a web exception for your server to bypass web proxy; please follow this KB Article: Create a web exception for a website

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel,

    thanks for your reply. We have configured all clients with explicit proxy in the Operating System. If the clients access internal systems web servers using their public names they are sending their traffic to the webproxy as well (unless we exclude those domains on the clients directly).

    The firewall rule on the XG that allows webproxy usage doesn't have any filtering options enabled:

     

    Since the web proxy is explictly configured on the clients, traffic will flow through it however. Creating a web exception didn't help but I think this is logical since with the web exceptions we only can exclude traffic from several scanning actions but not from flowing through the proxy directly (if it is explictly configured it must flow through the proxy from my point of view).

    BTW: If I set the User portal HTTPS port to 443 then this will be shown if I enter an URL that is published via WAF. So somehow the traffic entering the webproxy does not correctly reach the reverse proxy.

    Best Regards
    Michael

Reply
  • 0 in reply to FormerMember

    Hi Patel,

    thanks for your reply. We have configured all clients with explicit proxy in the Operating System. If the clients access internal systems web servers using their public names they are sending their traffic to the webproxy as well (unless we exclude those domains on the clients directly).

    The firewall rule on the XG that allows webproxy usage doesn't have any filtering options enabled:

     

    Since the web proxy is explictly configured on the clients, traffic will flow through it however. Creating a web exception didn't help but I think this is logical since with the web exceptions we only can exclude traffic from several scanning actions but not from flowing through the proxy directly (if it is explictly configured it must flow through the proxy from my point of view).

    BTW: If I set the User portal HTTPS port to 443 then this will be shown if I enter an URL that is published via WAF. So somehow the traffic entering the webproxy does not correctly reach the reverse proxy.

    Best Regards
    Michael

Children
Unfiltered HTML