This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RichUK
Contributor
‎2021-05-12 03:23 AM

Web Application not working through SSL VPN

Hi all,

I have a web application that is not working through the SSL VPN. Internally, the web application works ok and also through a Cisco ASA SSL VPN, but when used through Checkpoint, the web application 'dashboard' doesn't display after successfully logging in.

The web server is hosted internally and has two portals, a user portal and management. Through the SSL VPN, the user portal works ok but not the management. I believe the website is using JavaScript.

The user portal and management portal are configured as separate Web Application objects with the URL pointing to the relevant portals.

I have gone through the troubleshooting guide and put the SG into debug and trace mode and had a good look through the logs but can't see any reason why the 'home' page hangs once successfully logged in. I also have access to the web servers IIS logs and they all report 200 codes.

I have tried all the options in the protection level with caching in the web application object.

I can get the management portal to work if I configure the Web Application as a 'Domino Web Access (iNotes)' type, but this seems hit and miss.

Is there anything I could search for in the logs to help identify this issue? or any 'bypasses' configured for that site to rule out IPS etc

Many thanks

Rich

 

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2021-05-12 04:36 AM

Are you using reverse proxy option? Try that. If no change, I would recommend a TAC case.

Is there anything special about those web applications?

0 Kudos
RichUK
Contributor
‎2021-05-19 02:05 AM
In response to _Val_

I believe we are not using the reverse proxy. We already run services through the portal, Citrix, Outlook Web Access, etc, would enabling the reverse proxy cause an issue with existing apps? 

I've been doing some testing with the Web Application configured as iNotes vs not, and comparing logs. The following are from the browser's f12 tools and only shows two differences.

Working (iNotes)

<script src="https://gxxxxxx.xxxxxx.xk/sslvpn/Portal/CPPTfunctions.js"></script><script>var __CP_ENABLE_INOTES__ = true;</script>

vs

Not Working

<script src="https://gxxxxxx.xxxxxx.xk/sslvpn/Portal/CPPTfunctions.js"></script>

and also 

Working (iNotes)

top.document.location.replace("ETADM001GF.SWITCHROLE?RID=" + pRoleID + "&RCHK=" + pResubChk + "&USESSION=" + pSessID);

vs

Not Working

top.__CP_PT_FUNC_replace__(document.location,"ETADM001GF.SWITCHROLE?RID=" + pRoleID + "&RCHK=" + pResubChk + "&USESSION=" + pSessID);

In the httpd.log:

Replacing (document.location.replace("ETADM001GF.SWITCHROLE?RID=" + pRoleID + "&RCHK=" + pResubChk + "&USESSION=" + pSessID)) with (__CP_PT_FUNC_replace__(document.location,"ETADM001GF.SWITCHROLE?RID=" + pRoleID + "&RCHK=" + pResubChk + "&USESSION=" + pSessID)) matched by pattern 45

What is pattern 45 and can the matching be stopped per site \ page? Or am I best just raising a TAC case?

(On a side issue, two Web Access objects configured differently, but with the same URL and published into MA only ever uses one of the objects no matter which one you select in the portal)

TIA

Rich

 

0 Kudos
Martin_Raska
Advisor
Advisor
‎2021-05-19 02:46 AM
In response to RichUK

What translation method do you using in Web application object? If website is using any java script you should probably need host translation as a method link translation.

0 Kudos
RichUK
Contributor
‎2021-05-19 03:31 AM
In response to Martin_Raska

I have tried Path Translation and URL Translation, with every variant of Browser Caching under Protection Level. Only setting the Web Application to a 'Domino Web Access (iNotes)' type makes the website work through MA.

0 Kudos
cshekar
Explorer
‎2021-11-11 09:45 PM
In response to RichUK

HI i am facing the same issue with two different application, Pages are not loading after successfully login.

Please help us with resolution.

 

Thanks windchill.JPGdc.JPG

0 Kudos
cshekar
Explorer
‎2021-11-11 09:53 PM
In response to RichUK

Hi,

We are also facing  same challenge, Web pages are not loading after the successfully login.

Please find attached screenshot and kindly help us to resolve the issue.

Thanks

 

Preview file
29 KB
Preview file
28 KB
0 Kudos
RichUK
Contributor
‎2021-11-16 09:46 AM
In response to cshekar

Hi cshekar

Our issue was to do with the application and DNS. The application had the same name internally and externally, which pointed to either the internal server or the DMZ.

Within the application there were hardcoded paths to images and other components of the application. When used over the SSL VPN, for whatever reason, some elements decided not to use the SSL VPN and then connected to the DMZ server. At this point, the application had sessions coming from both the internal and external application servers at the same time.

I never got to the bottom of why certain elements \ links would break out of the SSL tunnel, neither why setting the application as a Domino Web Access (iNotes) server got the application working.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events