Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 4 subscribers
  • Views 9369 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting WAF to pass to the correct sites

MikeRM275

Good evening.  I am trying to set up the UTM (9.711-5) to handle the websites from the IIS machine.  I currently have WAF working with Exchange.  So I have DynDNS entries for the DNS names that I need for the two sites, both point to the IP address on the External Interface for the UTM.

I have 4 sites that I am running on the IIS server, in the configuration of Site1.domain.com, Site2.domain.com, Site1.domain.com/Site3, and Site1.domain.com/Site4.  Site1 is on port 443 and Site2 is on port 444.  Internally on the network this works without a problem.  I call site1, it loads up, I hit the login button it sends a challenge to site 2, Site 2 then pops up the login screen and authorization screen, if needed.  Site 2 passes everything back to Site 1.

So I have set up a Firewall Profile (which I am still adjusting):

Mode: Reject
Hardening & Signing: Cookie Signing
Filtering: Block clients with bad reputation
Common threats filter
Scanning: Antivirus (Dual Scan)

(I originally had form hardening but this was giving many errors, so I removed that for the moment).

Under the Real Webservers I have the IIS machine and HTTPS (Encrypted)

Under the Virtual Webservers I set up two entries:

For Site 1:
Interface: External

Type: HTTPS & Redirect

Port: 443

Certificate points to the certificate for this site (which shows the correct domain)

Real WebServer I have the IIS Machine checked and the Exchange machine unchecked.

Firewall Profile: points to the one that was set up above

Advanced: Pass host headers

For Site 2:

Type: HTTPS & Redirect

Port: 444

Certificate points to the certificate for this site (which shows the correct domain)

Real WebServer I have the IIS Machine checked and the Exchange machine unchecked.

Firewall Profile: points to the one that was set up above

Advanced: Pass host headers

When I select the login I am supposed to be redirected as follows:
https://site2.domain.com:444/Identity/Account/Login?ReturnUrl=%2Fapi%2FAuthorization%2FAuthorize%3Fclient_id%3Dsite-raz%26redirect_uri%3Dhttps%253A%252F%252Fsite1.domain.com%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%26code_challenge%3D5BffzAj3mevUfigkr9yYVTBMwnSF56_1fkZYjDxQr2A%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637976652948829102.NDMwOTQ1NGYtZTM3Ni00ODkwLWFiZDMtNmQ4MTc1M2UyYmFkMjJmNGVlNTgtMTNmMC00YWIxLWJmNzUtMTI4ODM3ZDIwY2Nl%26state%3DCfDJ8Pxpv025fH9OrWmSiY-syag8_QiY3DGHSIdeW96_S-kHMiUlhCY2EetveAxr2ss_fQz8PtAQZOe1sd6PVSMYxjr-kbG_zv-kqRH8o8g7I0XOmhOjAewvRnbMrCECYnFnIVoAQxl1AE45WW-h7auLLrPZpBilSTJdjTPIYpH6KbpM8zaSX2BL7_M3NKW4FUhdRbQexegzcGfZxUXey9f7Mj6kK7ZnuH2t6KTaLiPMMuVHGjd4KC1H3J0XksBBwo0rE1fLQorr_gxk0fSWSwsQFPXXpbumZopPIpDw2A7dyPq6u7-iq_Un3-m52PjSMt8idxR-j2ZP0L95BTKENVHxW5lw0jDzO5vcqHm-GaU6ke3G0wpMdh-37s5xC3-doUE-NQ%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

What is happening is that this times out when select the login link.  I can see in the logs where site1 is called and activated, but I am not seeing what I am looking for with Site2 being called in the logs.  Which has me wondering where I made a mistake in the setup.  I can provide information if needed.  Or is this even possible.  Any help would be appreciated.



This thread was automatically locked due to age.
  • 0 in reply to MikeRM275

    I still think that DNS is causing this different behaviour.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to BAlfson

    As before I couldn't access the ./well-known.jwks from outside the UTM.  I took another run at things.  I ended up changing the port on the identityapi-dv virtual webserver from 444 to 443, and keeping it HTTPS and Redirect.  On the Real Webserver I am maintaining the port 444.  From outside the network was able to access the .well-known/jwks and .well-known/openid-configuration.  The passing from wwwd to identityapi-dv on the login still does not work correctly.

    I also ended up fixing the 404 errors by placing the css and js files in the correct spot.  Will post the logs after I look them over.

  • 0 in reply to MikeRM275

    Ok I have a confirmation on what is wrong.  Like mentioned it is DNS related.  But it is also not DNS related.  When wwwd, makes it call the identityapi-dv it know that it is using port 444 internally, but since nothing understands identityapi-dv:444 as a DNS entry it is failing at the UTM after the 302 because it does not know that DNS name.  Once I changed the Virtual Server to 443 and still maintained the port 444 on the real server, I can access that directly, since the UTM is calling it on the correct port.  But since I have to make a call internally and externally with the port number on there, this is where it is failing.  Is there a way around this issue within the UTM?

  • 0 in reply to MikeRM275

    I have fixed the issues with IIS so that everything is now passing over port 443.  Though I am now getting a 403.  I can even see why by five lines in the log.  It looks like I have warnings for generic attacks and SQL Injection.  I then have an Access denied with code 403 (phrase 2) for pattern match (.*) at TX:950120-OWASP_CRS/WEB_ATTACK/RFI-TX:1.  Then another warning for Inbound Anomaly Score Exceeded.  Last line in the log on the blocking is Status Code 403, extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"

    What would be the best way to work the Firewall profile for these?  My guess would be to skip filter rules, or uncheck Generic Attacks and SQL Injection attacks.  Though unchecking those would seem like a bad idea.  My other thought is to put /api/Authorization/* as an exception.

    Here are the lines of the log:

    2022:10:11-21:47:35 MRM2Sophos httpd[22698]: [security2:error] [pid 22698:tid 4095306608] [client 174.206.107.230:7594] [client 174.206.107.230] ModSecurity: Warning. Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/usr/apache/conf/waf/modsecurity_crs_generic_attacks.conf"] [line "163"] [id "950120"] [rev "3"] [msg "Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link"] [data "Matched Data: https://wwwd.mrm2inc.com/signin-oidc found within TX:1: wwwd.mrm2inc.com/signin-oidc"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/RFI"] [hostname "identityapi-dv.mrm2inc.com"] [uri "/api/Authorization/Authorize"] [unique_id "Y0Yct32sfjTTal5kN2h4PQAAAGg"]

2022:10:11-21:47:35 MRM2Sophos httpd[22698]: [security2:error] [pid 22698:tid 4095306608] [client 174.206.107.230:7594] [client 174.206.107.230] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:state. [file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within ARGS:state: CfDJ8HW_c7mdLnhNkWi9ygVvO-12sIeLssPxLKIzIVcM60_N4g91O_qZwUU0Y2KCy5vqlOdVsyYcr7mjwlmfZkQiqs8Ud1HFtNh3c849WjAE5s8TffkAxYCM3FgLTyqp1_mL18_e53XkKe4Crhd-GHtIAC6LRJ8FGvrdjOiqNkPo4uBOZ-B-2PzfMJEvhJ4ea17LwH1H9ZQiM-ncLXMdGLCclIb2wFKUeKegH0A6jqkIsit9udL20cIJ8sv78F6PpDAmX3riyKWYnBPSd6GAsplsugYljkUE-GfxcB84RfdaOD2hBw2iu0ceOzCEDQLyUQLgLB5IFvFfoHDR39c42svDxdBsXwYtUqUuy7sMVufX17ngoGsswP2FbmE3gxmirK7QhA"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "identityapi-dv.mrm2inc.com"] [uri "/api/Authorization/Authorize"] [unique_id "Y0Yct32sfjTTal5kN2h4PQAAAGg"]

2022:10:11-21:47:35 MRM2Sophos httpd[22698]: [security2:error] [pid 22698:tid 4095306608] [client 174.206.107.230:7594] [client 174.206.107.230] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(.*)" at TX:950120-OWASP_CRS/WEB_ATTACK/RFI-TX:1. [file "/usr/apache/conf/waf/modsecurity_crs_inbound_blocking.conf"] [line "26"] [id "981176"] [msg "Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Last Matched Data: wwwd.mrm2inc.com/signin-oidc"] [hostname "identityapi-dv.mrm2inc.com"] [uri "/api/Authorization/Authorize"] [unique_id "Y0Yct32sfjTTal5kN2h4PQAAAGg"]

2022:10:11-21:47:35 MRM2Sophos httpd[22698]: [security2:error] [pid 22698:tid 4095306608] [client 174.206.107.230:7594] [client 174.206.107.230] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/apache/conf/waf/modsecurity_crs_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [hostname "identityapi-dv.mrm2inc.com"] [uri "/api/Authorization/Authorize"] [unique_id "Y0Yct32sfjTTal5kN2h4PQAAAGg"]

2022:10:11-21:47:35 MRM2Sophos httpd: id="0299" srcip="174.206.107.230" localip="10.0.0.2" size="199" user="-" host="174.206.107.230" method="GET" statuscode="403" reason="waf" extra="Inbound Anomaly Score Exceeded (Total Score: 8, SQLi=1, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded" exceptions="-" time="15555" url="/api/Authorization/Authorize" server="identityapi-dv.mrm2inc.com" port="443" query="?client_id=ident-man-raz&redirect_uri=https%3A%2F%2Fwwwd.mrm2inc.com%2Fsignin-oidc&response_type=code&scope=openid%20profile&code_challenge=pKnok9IOBihdW11XJb2CW5WeTqJK9HpphneTswk0hAc&code_challenge_method=S256&response_mode=form_post&nonce=638011360132318158.YWY0ZjgzOTAtYzA3ZS00ODlmLTg3YmQtY2RlNzY2ZDZiNDE1MzhhMzE2NTctMDE4MC00Mzk5LThiODAtMDFiZmUxZTA1MjU1&state=CfDJ8HW_c7mdLnhNkWi9ygVvO-12sIeLssPxLKIzIVcM60_N4g91O_qZwUU0Y2KCy5vqlOdVsyYcr7mjwlmfZkQiqs8Ud1HFtNh3c849WjAE5s8TffkAxYCM3FgLTyqp1_mL18_e53XkKe4Crhd-GHtIAC6LRJ8FGvrdjOiqNkPo4uBOZ-B-2PzfMJEvhJ4ea17LwH1H9ZQiM-ncLXMdGLCclIb2w

Unfiltered HTML