Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 4 subscribers
  • Views 6913 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting WAF to pass to the correct sites

MikeRM275

Good evening.  I am trying to set up the UTM (9.711-5) to handle the websites from the IIS machine.  I currently have WAF working with Exchange.  So I have DynDNS entries for the DNS names that I need for the two sites, both point to the IP address on the External Interface for the UTM.

I have 4 sites that I am running on the IIS server, in the configuration of Site1.domain.com, Site2.domain.com, Site1.domain.com/Site3, and Site1.domain.com/Site4.  Site1 is on port 443 and Site2 is on port 444.  Internally on the network this works without a problem.  I call site1, it loads up, I hit the login button it sends a challenge to site 2, Site 2 then pops up the login screen and authorization screen, if needed.  Site 2 passes everything back to Site 1.

So I have set up a Firewall Profile (which I am still adjusting):

Mode: Reject
Hardening & Signing: Cookie Signing
Filtering: Block clients with bad reputation
Common threats filter
Scanning: Antivirus (Dual Scan)

(I originally had form hardening but this was giving many errors, so I removed that for the moment).

Under the Real Webservers I have the IIS machine and HTTPS (Encrypted)

Under the Virtual Webservers I set up two entries:

For Site 1:
Interface: External

Type: HTTPS & Redirect

Port: 443

Certificate points to the certificate for this site (which shows the correct domain)

Real WebServer I have the IIS Machine checked and the Exchange machine unchecked.

Firewall Profile: points to the one that was set up above

Advanced: Pass host headers

For Site 2:

Type: HTTPS & Redirect

Port: 444

Certificate points to the certificate for this site (which shows the correct domain)

Real WebServer I have the IIS Machine checked and the Exchange machine unchecked.

Firewall Profile: points to the one that was set up above

Advanced: Pass host headers

When I select the login I am supposed to be redirected as follows:
https://site2.domain.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dsite-raz%26redirect_uri%3Dhttps%253A%252F%252Fsite1.domain.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D5BffzAj3mevUfigkr9yYVTBMwnSF56_1fkZYjDxQr2A%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637976652948829102.NDMwOTQ1NGYtZTM3Ni00ODkwLWFiZDMtNmQ4MTc1M2UyYmFkMjJmNGVlNTgtMTNmMC00YWIxLWJmNzUtMTI4ODM3ZDIwY2Nl%26state%3DCfDJ8Pxpv025fH9OrWmSiY-syag8_QiY3DGHSIdeW96_S-kHMiUlhCY2EetveAxr2ss_fQz8PtAQZOe1sd6PVSMYxjr-kbG_zv-kqRH8o8g7I0XOmhOjAewvRnbMrCECYnFnIVoAQxl1AE45WW-h7auLLrPZpBilSTJdjTPIYpH6KbpM8zaSX2BL7_M3NKW4FUhdRbQexegzcGfZxUXey9f7Mj6kK7ZnuH2t6KTaLiPMMuVHGjd4KC1H3J0XksBBwo0rE1fLQorr_gxk0fSWSwsQFPXXpbumZopPIpDw2A7dyPq6u7-iq_Un3-m52PjSMt8idxR-j2ZP0L95BTKENVHxW5lw0jDzO5vcqHm-GaU6ke3G0wpMdh-37s5xC3-doUE-NQ%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

What is happening is that this times out when select the login link.  I can see in the logs where site1 is called and activated, but I am not seeing what I am looking for with Site2 being called in the logs.  Which has me wondering where I made a mistake in the setup.  I can provide information if needed.  Or is this even possible.  Any help would be appreciated.



This thread was automatically locked due to age.
  • 0 in reply to PhilippRusch

    Well the OIDC sends a 302.  When I hit the Login page on the wwwd.mrm2inc.com:443/Identity/Account/Login it sends the challenge to identityapi-dv and then goes directly to identityapi-dv.mrm2inc.com:444/Identity/Account/Login with the rest of the query information.  There is no redirect rule set up in IIS, it just knows which site is set up to which port.

    I added the following a redirect request in the WAF and it is still not doing such.:

    I can see the redirect showing on the Virtual WebServer:

    Here is what the log is still showing:

    2022:09:11-16:39:46 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="1548" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="3854028" url="/" server="wwwd.mrm2inc.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HjgpakmKmBg3yut2XlwAAAAM"

2022:09:11-16:39:47 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="1552" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="29288" url="/" server="wwwd.mrm2inc.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HkwpakmKmBg3yut2XmAAAAAc"

2022:09:11-16:39:49 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="369" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="112021" url="/css/site.min.css" server="wwwd.mrm2inc.com" port="443" query="?v=RGHdZ65z5NTf_tGQaHcDi9uupHs31YwZ9EFGjn6nx-Q" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HlQpakmKmBg3yut2XmQAAAAc"

2022:09:11-16:39:49 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="0" user="-" host="174.206.103.167" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="26419" url="/lib/bootstrap/dist/css/bootstrap.min.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HlQpakmKmBg3yut2XmgAAAAY"

2022:09:11-16:39:49 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="271" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="7416" url="/js/site.min.js" server="wwwd.mrm2inc.com" port="443" query="?v=FLn14I09uV1OPWa0eAi391TYe2U6_UnC5Q3R6qMB_Ic" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HlQpakmKmBg3yut2XnAAAAAc"

2022:09:11-16:39:50 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="8499" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="318816" url="/lib/jqueryui/themes/smoothness/jquery-ui.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HlQpakmKmBg3yut2XmwAAAAY"

2022:09:11-16:39:50 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="4919" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="434405" url="/images/BackgroundImages/IdentityLogo.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HlgpakmKmBg3yut2XnQAAAAc"

2022:09:11-16:39:52 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="0" user="-" host="174.206.103.167" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="4858" url="/lib/bootstrap/dist/js/bootstrap.min.js" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HmApakmKmBg3yut2XnwAAAAc"

2022:09:11-16:40:01 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="1738865" user="-" host="174.206.103.167" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="9550677" url="/images/BackgroundImages/IdentityBackground.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HmApakmKmBg3yut2XngAAAAY"

2022:09:11-16:40:06 MRM2Sophos httpd: id="0299" srcip="174.206.103.167" localip="10.0.0.2" size="245" user="-" host="174.206.103.167" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="1831" url="/Identity/Account/Login" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yx5HpgpakmKmBg3yut2XoAAAAAY"

  • 0 in reply to MikeRM275

    Well this seems to be all within the UTM that it is failing.  Meaning that something still is not configured correctly.  From the troubleshooting tools I ran a ping and DNS Lookup.

    Ping:

    PING identityapi-dv.mrm2inc.com (192.168.7.6) 56(84) bytes of data.

64 bytes from deviis.mrm2inc.com (192.168.7.6): icmp_seq=1 ttl=128 time=0.507 ms

64 bytes from deviis.mrm2inc.com (192.168.7.6): icmp_seq=2 ttl=128 time=0.603 ms

64 bytes from deviis.mrm2inc.com (192.168.7.6): icmp_seq=3 ttl=128 time=0.615 ms

64 bytes from deviis.mrm2inc.com (192.168.7.6): icmp_seq=4 ttl=128 time=0.488 ms

64 bytes from deviis.mrm2inc.com (192.168.7.6): icmp_seq=5 ttl=128 time=0.533 ms



--- identityapi-dv.mrm2inc.com ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 3998ms

rtt min/avg/max/mdev = 0.488/0.549/0.615/0.053 ms

    DNS Lookup:

    Trying "identityapi-dv.mrm2inc.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49718

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;identityapi-dv.mrm2inc.com.	IN	ANY



;; ANSWER SECTION:

identityapi-dv.mrm2inc.com. 86400 IN	SOA	identityapi-dv.mrm2inc.com. do-not-reply.fw-notify.net. 1663269787 10800 900 604800 60

identityapi-dv.mrm2inc.com. 60	IN	NS	identityapi-dv.mrm2inc.com.

identityapi-dv.mrm2inc.com. 60	IN	A	192.168.7.6



;; ADDITIONAL SECTION:

identityapi-dv.mrm2inc.com. 60	IN	A	192.168.7.6



Received 152 bytes from 127.0.0.1#53 in 0 ms

    Again tried to login from outside my network, with still a timeout on https://identityapi-dv.mrm2inc.com  Logs still show a 302 but no activity for that name:

    2022:09:21-07:18:55 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1558" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="12795197" url="/" server="wwwd.mrm2inc.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzElnngPa_B_2fZcAMRgAAAB4"

2022:09:21-07:18:55 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="369" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="84667" url="/css/site.min.css" server="wwwd.mrm2inc.com" port="443" query="?v=RGHdZ65z5NTf_tGQaHcDi9uupHs31YwZ9EFGjn6nx-Q" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzH1nngPa_B_2fZcAMRwAAAB4"

2022:09:21-07:18:55 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="16270" url="/lib/bootstrap/dist/css/bootstrap.min.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzH1nngPa_B_2fZcAMSAAAAB4"

2022:09:21-07:18:55 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="8499" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="21994" url="/lib/jqueryui/themes/smoothness/jquery-ui.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzH1nngPa_B_2fZcAMSQAAAB4"

2022:09:21-07:18:56 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="271" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="9548" url="/js/site.min.js" server="wwwd.mrm2inc.com" port="443" query="?v=FLn14I09uV1OPWa0eAi391TYe2U6_UnC5Q3R6qMB_Ic" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzIFnngPa_B_2fZcAMSgAAAB4"

2022:09:21-07:18:56 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="4919" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="18099" url="/images/BackgroundImages/IdentityLogo.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzIFnngPa_B_2fZcAMSwAAAB4"

2022:09:21-07:18:56 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="32168" url="/lib/bootstrap/dist/js/bootstrap.min.js" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzIFnngPa_B_2fZcAMTAAAAB4"

2022:09:21-07:18:58 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1738865" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="2203719" url="/images/BackgroundImages/IdentityBackground.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzIFnngPa_B_2fZcAMTQAAAB4"

2022:09:21-07:18:58 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="9380" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="9433" url="/favicon.ico" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzIlnngPa_B_2fZcAMTgAAAB4"

2022:09:21-07:19:16 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="12" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"

2022:09:21-07:19:16 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="7" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"

2022:09:21-07:19:17 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="10" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"

2022:09:21-07:19:28 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="245" user="-" host="174.206.107.39" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="1809" url="/Identity/Account/Login" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="YyrzQFnngPa_B_2fZcAMTwAAACk"

2022:09:21-07:36:59 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1558" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="2569403" url="/" server="wwwd.mrm2inc.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3WVnngPa_B_2fZcAMUAAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="369" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="19289" url="/css/site.min.css" server="wwwd.mrm2inc.com" port="443" query="?v=RGHdZ65z5NTf_tGQaHcDi9uupHs31YwZ9EFGjn6nx-Q" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMUQAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="12342" url="/lib/bootstrap/dist/css/bootstrap.min.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMUgAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="271" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="12791" url="/js/site.min.js" server="wwwd.mrm2inc.com" port="443" query="?v=FLn14I09uV1OPWa0eAi391TYe2U6_UnC5Q3R6qMB_Ic" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMUwAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="8499" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="12973" url="/lib/jqueryui/themes/smoothness/jquery-ui.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMVAAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="4919" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="5482" url="/images/BackgroundImages/IdentityLogo.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMVQAAAAU"

2022:09:21-07:37:00 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="37277" url="/lib/bootstrap/dist/js/bootstrap.min.js" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMVwAAAAk"

2022:09:21-07:37:04 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1738865" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="3386845" url="/images/BackgroundImages/IdentityBackground.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3XFnngPa_B_2fZcAMVgAAAAM"

2022:09:21-07:37:06 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="245" user="-" host="174.206.107.39" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="1719" url="/Identity/Account/Login" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr3YlnngPa_B_2fZcAMWAAAAAM"

2022:09:21-07:37:20 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="11" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"

2022:09:21-07:37:20 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="-" statuscode="408" reason="-" extra="-" exceptions="-" time="6" url="-" server="-" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="-"

2022:09:21-07:39:15 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1552" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="90459" url="/" server="wwwd.mrm2inc.com" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr341nngPa_B_2fZcAMWQAAABc"

2022:09:21-07:39:16 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="369" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="6153" url="/css/site.min.css" server="wwwd.mrm2inc.com" port="443" query="?v=RGHdZ65z5NTf_tGQaHcDi9uupHs31YwZ9EFGjn6nx-Q" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35FnngPa_B_2fZcAMWgAAABc"

2022:09:21-07:39:16 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="0" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="4489" url="/lib/bootstrap/dist/css/bootstrap.min.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35FnngPa_B_2fZcAMWwAAABc"

2022:09:21-07:39:17 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="271" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="5753" url="/js/site.min.js" server="wwwd.mrm2inc.com" port="443" query="?v=FLn14I09uV1OPWa0eAi391TYe2U6_UnC5Q3R6qMB_Ic" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35VnngPa_B_2fZcAMXAAAABc"

2022:09:21-07:39:17 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="8499" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="32454" url="/lib/jqueryui/themes/smoothness/jquery-ui.css" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35VnngPa_B_2fZcAMXQAAABU"

2022:09:21-07:39:17 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="4919" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="6085" url="/images/BackgroundImages/IdentityLogo.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35VnngPa_B_2fZcAMXgAAABc"

2022:09:21-07:39:18 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="25" user="-" host="174.206.107.39" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="28129" url="/lib/bootstrap/dist/js/bootstrap.min.js" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35lnngPa_B_2fZcAMYAAAABw"

2022:09:21-07:39:21 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="1738865" user="-" host="174.206.107.39" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="3417779" url="/images/BackgroundImages/IdentityBackground.png" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr35lnngPa_B_2fZcAMXwAAABU"

2022:09:21-07:39:24 MRM2Sophos httpd: id="0299" srcip="174.206.107.39" localip="10.0.0.2" size="245" user="-" host="174.206.107.39" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="1702" url="/Identity/Account/Login" server="wwwd.mrm2inc.com" port="443" query="" referer="https://wwwd.mrm2inc.com/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="Yyr37FnngPa_B_2fZcAMYQAAABU"

    I am just not sure where to look to fix this issue.

  • 0 in reply to MikeRM275

    "302" usually just means that the web server is redirecting the request.  The "40x" codes mean that the server is encountering issues.  What difference do you see in the web server's logs for internal and external clients?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am not seeing anything in the logs for internal clients.  One guess is probably because IIS is handling it all by itself internally.  Second guess is that the traffic is not passing through the UTM for internal traffic.

  • 0 in reply to MikeRM275

    Mike, I meant the IIS logs, not the WAF logs in the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Sorry about that.  I do see a difference in the logs between an external and internal usage with the IIS logs.

    So with the external access to the first site:

    date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-09-22 20:17:46 192.168.7.6 GET / - 443 - 192.168.0.3 Mozilla/5.0+(Linux;+Android+10;+SM-G960U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Mobile+Safari/537.36 - - 200 0 0 6156
2022-09-22 20:17:46 192.168.7.6 GET /lib/bootstrap/dist/css/bootstrap.min.css - 443 - 192.168.0.3 Mozilla/5.0+(Linux;+Android+10;+SM-G960U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Mobile+Safari/537.36 - https://wwwd.mrm2inc.com/ 404 0 0 12
2022-09-22 20:17:46 192.168.7.6 GET /lib/bootstrap/dist/js/bootstrap.min.js - 443 - 192.168.0.3 Mozilla/5.0+(Linux;+Android+10;+SM-G960U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Mobile+Safari/537.36 - https://wwwd.mrm2inc.com/ 404 0 0 22
2022-09-22 20:17:51 192.168.7.6 GET /images/BackgroundImages/IdentityBackground.png - 443 - 192.168.0.3 Mozilla/5.0+(Linux;+Android+10;+SM-G960U)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Mobile+Safari/537.36 - https://wwwd.mrm2inc.com/ 200 0 0 4678

    There is no log activity for the identityapi-dv site from external access.

    Now the logs internally for the first site are as follows:

    date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-09-22 20:24:23 192.168.7.6 GET / - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - - 200 0 0 7
2022-09-22 20:24:23 192.168.7.6 GET /lib/bootstrap/dist/css/bootstrap.min.css - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - https://wwwd.mrm2inc.com/ 404 0 0 1
2022-09-22 20:24:23 192.168.7.6 GET /lib/bootstrap/dist/js/bootstrap.min.js - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - https://wwwd.mrm2inc.com/ 404 0 0 1
2022-09-22 20:24:31 192.168.7.6 GET /Identity/Account/Login - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - https://wwwd.mrm2inc.com/ 302 0 0 6287

    What I notice here is that I had selected the Login button and got the 302 from the /Identity/Account/Login

    Here is the log for the second site:

    date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-09-22 20:24:31 192.168.7.6 GET /.well-known/openid-configuration - 444 - 192.168.7.6 Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 200 0 0 4979

2022-09-22 20:24:31 192.168.7.6 GET /.well-known/jwks - 444 - 192.168.7.6 Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 200 0 0 40

2022-09-22 20:24:31 192.168.7.6 GET /api/Authorization/Authorize client_id=ident-man-raz&redirect_uri=https%3A%2F%2Fwwwd.mrm2inc.com%2Fsignin-oidc&response_type=code&scope=openid%20profile&code_challenge=81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak&code_challenge_method=S256&response_mode=form_post&nonce=637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1&state=CfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw&x-client-SKU=ID_NET6_0&x-client-ver=6.21.0.0 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://wwwd.mrm2inc.com/ 302 0 0 232

2022-09-22 20:24:31 192.168.7.6 GET /Identity/Account/Login ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://wwwd.mrm2inc.com/ 200 0 0 243

2022-09-22 20:24:31 192.168.7.6 GET /css/site.min.css v=yguNTp47AFBJS-Sds4KXQ3C40m_1v5Q4lgz8vDYuDUA 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 13

2022-09-22 20:24:32 192.168.7.6 GET /js/site.min.js v=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 1

2022-09-22 20:24:32 192.168.7.6 GET /lib/bootstrap/dist/css/bootstrap.min.css - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 24

2022-09-22 20:24:32 192.168.7.6 GET /lib/jqueryui/themes/smoothness/jquery-ui.css - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 404 0 0 18

2022-09-22 20:24:32 192.168.7.6 GET /images/BackgroundImages/IdentityLogo.png - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 10

2022-09-22 20:24:32 192.168.7.6 GET /lib/bootstrap/dist/js/bootstrap.min.js - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 9

2022-09-22 20:24:32 192.168.7.6 GET /images/BackgroundImages/IdentityBackground.png - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 141

2022-09-22 20:24:32 192.168.7.6 GET /favicon.ico - 444 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 .AspNetCore.Antiforgery.92sHTbD5ho8=CfDJ8OYzoIl0DyBKpIwPLj2DM1ufA5Xdc648FP8OTerTe-8KFICV46etbWLwkC-s7BxzmALHE48ERrgI5BpfyzNVvwlVUneJ_lxchwHtKdcnzVfUahFv_qS-3du8-VljgA4zA1-Y7Qc5pdGDtuliFGZT0lI https://identityapi-dv.mrm2inc.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dident-man-raz%26redirect_uri%3Dhttps%253A%252F%252Fwwwd.mrm2inc.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D81l1EDz_215JbJvptHZ9SIhDwo3YSW0OIdz2js_Rfak%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637994750714077371.NjkzN2RhZmMtN2ZiOC00ZTUyLTkxZjctM2VmNTY3NGRlMzlkYzJhNjY3NzUtZDMwYi00Mjk1LTgzZjYtMzFjMDhkYzE1NTY1%26state%3DCfDJ8HW_c7mdLnhNkWi9ygVvO-2upcALNWtZakMHlNgspbVw3DjNG36uYGe-kJiKvGkcX66UuCfVy-iwxQeXCmaEs2Dc77KCoVunkyeF4fOijBqvajPHXy1f6I3xRw_hQ5-kLHIFL7xYcjnbwAqhvrJvwJgQaUihTD5JkIY2XNuqwHGwjca7P6DsekSu2kJF2QKA-pn3hp9l0XDsFkwNTjRB6ZAgN37p6jcs6mTd16JDiu_A7KfyPpEflLWRWlvPp0S9NGyHRYisw3eSbBWAha_zIrpkVMZO9-uwIGzuREHp4r8-NHdB8JliPm3LOkYGdfGZwEGmxJWLI0e2CZBH04Rd4amFtSkLa9_SwGp9k59R_fIhcFIq4RoK7FT7xt6QKZralw%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0 200 0 0 36

    For this I am seeing the client-Ip being the same IP as the source which is correct but everything is being fired off.  And I was able to access the login screen.

    This has me questioning, am I putting that redirect on the WAF too early?

    Also I tried the /.well-known/jwks directly from the external, and it timed out.  I do not see any activity in the UTM Logs for when I did that.

  • 0 in reply to MikeRM275

    I'm not an IIS guy, so I don't have an answer, but it looks like the difference is:

         Internally, lines 3 & 4 contain 537.36+Edg/105.0.1343.42 - https://wwwd.mrm2inc.com/ 404 0 0 1
         Externally, these lines contain 537.36 - https://wwwd.mrm2inc.com/ 404 0 0 12

    If no one else here is that knowledgeable about IIS, maybe ask a question on a Microsoft board.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Those 404 on lines 3 and 4 are for the bootstrap.css, the Edg/105 is for the Edge Browser which make that difference, the last number is the time taken to return the 404.
    Granted the 404 is happening because the bootstap library is not being found on the server, as it should be pulling from the CDN, but the bootstrap is actually working, so I am not finding anything suspect with them.

    What gets me is line 5 is different  Also going to https://identityapi-dv.mrm2inc.com:444/.well-known/jwks times out.  And the UTM does not see that being accessed.

  • 0 in reply to MikeRM275

    Are you accessing from a browser other than Edge when you come in from the outside, Mike?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, I am using Chrome when accessing it from the outside.

Unfiltered HTML