Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 38 subscribers
  • Views 5224 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Websocket connections to an external site. Blocked coming back in?

John Rule

Good day all.

First time poster, but a semi-recent addition to the Sophos family, so I hope I'm in the right area. 

A vendor is attempting to connect to their AWS service via a websocket from a machine that is on our internal network.  From the machine itself, it can reach their aws instance without problem and the live traffic listed below appears to agree with this. However, when they attempt to put their "Agent" on the machine, which uses Websockets to communicate, our on premise machine is not recognized. 

During the last troubleshooting session, the vendor noted that we are using an http proxy and we need to allow their site through the proxy.  They requested we go to websocketstest.com in order to show that we are using a proxy.  (See below)

Watching the live feed, while attempting to test and refreshing the page, I see the following which I'm assuming is the above site:

 

In an attempt to verify the type of proxy we have, based on https://support.sophos.com/support/s/article/KB-000036493?language=en_US  I believe our vendor setup Transparent with Direct mode (hybrid).  When looking at our Lan to Wan Rule, I see that Scan HTTP is selected for all services

and

Network configuration:  

Our gateway is an SDWan product setup in HA.  Both gateways connect to our HA Sophos Xg's, currently running the last 17.x version with an eye to move to 18.0 Mr04 soon. 

Based on this, I'm not sure where to go next in order to resolve this situation. We allow traffic out but my guess is the inbound is where we are having the issue since I do not see traffic coming back in from any of the sites in the live feed.   

I've tried a business application forwarding rule back into the firewall, limiting traffic over the http port from those specific (and confirmed) static IP addresses, but that did not appear to resolve the problem.

My questions:

How can one "Whitelist" a websocket URL through a proxy?  

A more basic question: How can one identify what your http proxy setup is within the application itself?

Thanks for any assistance our guidance you can give me. 



This thread was automatically locked due to age.
  • +1

    Your Invalid Traffic is simply a logging of "The application had an issue". Its not that the XG is blocking anything coming back. Its simply the application or server is closing the session and bursting the XG with RESET/FINISH Packets, which XG drops. 

    See: https://support.sophos.com/support/s/article/KB-000037984?language=en_US

    Some application generally speaking cannot work with a proxy. If you create a test rule above this rule and disable the entire Web proxy, does it work? 

    You need to figure out, if the vendor uses certain Hosts or something like that. Then you can create a firewall rule like : LAN to WAN Hosts --> Do not use Proxy. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the response.  I cannot create a rule higher than the one listed above, but I did create a business application rule that allows the WAN zone from specific IP addresses (verified by the vendor as static) to go through, with the destination services having port 80 and 3128 open, and forwarding that traffic directly to the computer in question using the LAN protected zone.  However, I am unsure on how to bypass the proxy.  Can you point me in the right direction?

  • 0 in reply to LuCar Toni

    Lucar, your fix worked.  However, we noted that we also had to remove some protections that we'd rather keep in place.  I have a feeling a discussion with the vendor will be occurring here shortly, since using HTTP traffic shouldn't be occurring at all at this point. 

Unfiltered HTML