Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

Has anyone tried adding MAB portal behind WAF or reverse Proxy?

Hi Team,

 

I am trying to figure out if Check Point SSL VPN/MAB portal can be routed through WAF or reverse proxy? I tried with nginx however I am able to login but it fails at the SNX.

Has anyone tried this before? Is it really needed to put the MAB portal behind WAF? Are we gonna get any benefit out of it?

TIA

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

MAB is effectively a reverse proxy and it's designed with security in mind.
Not sure that you will see much security benefit from putting MAB behind a WAF.
In any case, the WAF will most likely require some level of tuning in order to permit the necessary traffic for SNX.

0 Kudos
Blason_R
Leader
Leader

Well - I decided to debug and as I said I can loing successfully but when snx pops up it does not go after that. Can someone help me here.

Here is the logs it does not go after and I receive error at SNX popup

45.112.144.190 - - [19/Sep/2021:10:41:10 +0530] "GET /Login/ComponentFrame?nPageMode=2&snxVersion=80,0,0064,18 HTTP/1.1" 200 1150 "https://xx.xx.xx.xx/SNX/extender" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

What precisely is this a log from?

0 Kudos
Blason_R
Leader
Leader

Are you referring to those logs? Those are nginx reverse proxy logs and when I debug further I observed that Mobile Access Portal is sending or hopping to Websocket once the connection is established which is sending a Header to Upgrade.

I am not sure whether that would help? 

I guess little more persistence from me and assistance from you guys would definitely help me to achieve the solution.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

Certainly the more information you can provide the better.
That said, SNX surely expects to talk to the MAB gateway directly and isn't meant to be proxied through something else.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events