Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mark_Levin
Participant

LT issues with URLs in JavaScript

Hello community!

We have an issue with LT of URLs in JavaScript. Our customer has SAP portal (with workers accounts) published through MAB portal. First page of the SAP portal works correctly, but other pages loaded as iframes and URLs of these iframes transmitted to the client-side (browser) in the form of Javascript variable (i.e. "var xxx = https\x3a\x2f\x2fYYYY\x2dZZZZ.HHHH.HH", where Y,Z,H - normal URL characters). I can see this through http debug on the client-side (e.g. Fidler as recommended in MAB ATRG). HTTPD log on the gateway doesn't show anything about this JavaScript or these specific URLs. It seems Gateway just doesn't see these URLs.

Gateway version is R80.10, SMS version is R80.40. MAB policy configured in Unified Policy mode (we have tried Legacy Policy mode - same results), LT method is Hostname Translation (URL Translation and Path Translation both doesn't  work -  they show another errors), portal's certificate and wildcard DNS are fine. Also MAB configured to translate links of all domains.

 

Does anybody saw such issues?

Also more general question. How MAB works with LT? Is it a parsing of HTML code or translation of the link after executing dynamic content of the page?

 

Thanks in advance!

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

It does a little of both.
Note that only specific web applications will work correctly with Link Translation as there are infinite ways to do links particularly with Javascript.
You may have to use SNX in Network or Application Mode to use the site correctly.
0 Kudos
Mark_Levin
Participant

Yes, with full vpn client or SNX everything works fine. Client can reach URLs inside JavaScript through LAN without MAB portal. Unfortunately in some cases customer can’t use this scheme.

Is it possible to use some regexp to tell gateway to translate specific text of HTML page? For example in the MAB ATRG there is a reference to Substitute.features.conf file with some Apache regular expressions (in the section of LT issues of ATRG). But document tells that this is for Path Translation (PT). I didn’t find any other information about this file or any example how to use it.

0 Kudos
PhoneBoy
Admin
Admin

That file is mentioned here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I suppose you could modify it to suit your need.
0 Kudos
Mark_Levin
Participant

Hello community!

Finally with support’s help we found solution (for software versions specified in the first post and also for R81 after update).

Step 1.

We have to use regular expressions to help gateway to translate URLs encoded in JavaScript.  These regular expressions should be configured in $CVPNDIR/conf/httpd.conf file after following:

#----------------------------------------------------------------

   # HT Configurations - START

#----------------------------------------------------------------

 

CvpnHTAddStringForReplaceAndRunTranslation  https\x3a\x2f\x2fYYYY\x2dZZZZ.HHHH.HH’ ‘https://YYYY-ZZZZ.HHHH.HH'

Step 2.

Also in the same file we should check some options which relevant to translation, these options are:

 

CvpnTranslateRequestBody On

AllowEncodedSlashes On

 

Step 3.

Also we added our internal links to $CVPNDIR/conf/includes/Web_inside_location.conf file:

CvpnAcceptEncodingForUrl https://YYYY-ZZZZ.HHHH.HH

 

It seems MAB can’t do dynamic translations (from perspective of dynamic content such as JavaScript).

 

Additional step.

Specifically in our case we have multiple SAP hosts behind MAB portal and according to SAP logic client should be redirected between them a few times during navigation. This behavior creates an additional issue. Gateway appends X-Frame-Options header to each translated HTTP response with value SAMEORIGIN, which designed to prevent clickjacking attack, but in our situation it prevents normal working so we can disable this by commenting following line in $CVPNDIR/conf/includes/HT.virtualhost.conf file:

#Header always append X-Frame-Options SAMEORIGIN

 

Additional step on R81.

Also after update to R81 we need to disable Web Intelligence module (it seems some of our URLs were blocked by this module). This can be done through $CVPNDIR/conf/httpd.conf file by commenting following line:

#LoadModule wi_module $CVPNDIR/lib/libModWI.so (this also mentioned in Administration guide for R81 - ‘MAB Configuration and Settings’).

 

Maybe it will help someone with similar issues. Of course all of the described steps should be done ONLY with support and after clear debug.

 

Many thanks to support team!

_Val_
Admin
Admin

Thanks for sharing, it's greatly appreciated

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events