This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF and security management software sam by secova

Hello,

 

we are running the security management software sam by secova. In our internal network it is no problem to access the browser based application.

Now I want to make the application available worldwide without putting the server out to the web with no protection. So I want to use WAF to protect the server. So far, so easy. I know the RULZ and the UTM is running smoothly at the newest version. We already have some other webservers protected by WAF which is running smoothly as well.

With our security management software I'm facing the issue, that the authentication page (the first page a user sees) is not loaded. I asked the support of secova if they have experiences with WAF and Sophos UTM or web proxies in general and the answer was as follows:

Running the server that is hosting the application behind a web proxy is not a problem. They had some general hints for me.

1. Do not change paths. If the Software shall be available under a subfolder from the web (e.g. http://sam.contoso.com/lessons ) than the internal path should be the same (http://sam.intern.local/lessons ). In our case, the application is provided without subfolders.

2. Contents must not be changed by the WAF.

3. Changing domains from external to internal is no problem. We are using different external and internal domains.

4. If the external side uses https but the internal does not, there has to be a header X-Forwarded-Proto set for the internal request. It is necessary for the application to know about the encryption. Since we are using encryption on the internal side as well, the header is not necessary. 

 

Now I need your help to get this done with the firewall rules and the other settings there are in WAF. So far we used trial and error to sort out what works with the protected applications, but as sam is very dynamic application and constantly exchanges information with the client system, I'm stuck with our former approach.

 

Thanks a lot for your help!

 

Tim



This thread was automatically locked due to age.
Parents
  • Tim, it's not clear which are general tips from Secova, what you've done and what problems you're having.  How about showing us the Edits of the Virtual Server, Real Server and Firewall Profile. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Tim, it's not clear which are general tips from Secova, what you've done and what problems you're having.  How about showing us the Edits of the Virtual Server, Real Server and Firewall Profile. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    after rereading my post I have to admit, that this was a really bad description of the problem, sorry about that.

    Following your hints, I attach screenshots of the edit dialogues of virtual and real server, the firewall profile and the problem. But first, I will make clear what hints from secova are and comment them for you to understand their influence on our environment.

    Since I am not sure if I am allowed to post the real FQDNs here, I will use fake ones.


     

    Hints from secova:

    Running the server that is hosting the application behind a web proxy is not a problem.

    1. Do not change paths. If the Software shall be available under a subfolder from the web (e.g. http://sam.contoso.com/lessons ) than the internal path should be the same (http://sam.intern.local/lessons ).

    2. Contents must not be changed by the proxy.

    3. Changing domains from external to internal is no problem.

    4. If the external side uses https but the internal does not, there has to be a header X-Forwarded-Proto set for the internal request. It is necessary for the application to know about the encryption.


     

    Comments to hints:

    to 1: The application is available without using subfolders. DNS / IP settings are shown in the table below. DNS requests of the FQDNs leads to the desired IP-addresses, so DNS works.

    network area FQDN IP-address
    internal https://name-sam.institute.faculty.university.de 10.x.x.x
    external https://sam.institute.de external address of our UTM; public, static IP address

    to 2: --

    to 3: see table

    to 4: We use https on both sides.


    What I have done:

    1. Certificate

    We use only one certificate for our UTM. All FQDNs that we are using are included in this certificate using Subject Alternative Names (SAN). I applied for a new certificate that includes the new FQDNs for sam.

    2. Create a host definition. DNS works fine.

    3. Create a real webserver.

    4. Create a firewall profile.

    5. Create a virtual webserver.


    The problem:

    When I open the application using the internal address, the login screen shows up.

    When I use the external side, the application get's stuck in the the loading screen.


     

     

    I hope that it is clear now, what the problem is. Your help is appreciated already!

     

    Regards


    Tim