Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Help with client vs server traffic

    Posted 02-01-2021 15:09
    Edited by Fred Percynski 02-01-2021 15:18
    Hello,
    When defining a site in Securesphere, under HTTP Service, on the Reverse Proxy tab, in the section for Transparent Reverse Proxy it refers to a "client" port, a "client" SSL settings, a "server" port, and a "server" SSL settings. (see attached screenshot)   I have two questions about client vs server as traffic is going through Securesphere.  (see attached diagram to help with questions)

    1) Traffic from a user on the Internet passes through the edge firewall going to the RedHat proxy server.  As the traffic is passing through the Securesphere what is the client and what is the server?

    2)  The RedHat proxy server then initiates a connection to the mailbox server. As the traffic is passing through Securesphere what is the client and what is the server?

    Please know that I am new to working with Securesphere so feel free to ask me for more details.
    - Fred

    PS - I know some are going to ask why is there a RedHat proxy server behind the WAF.  Its a valid question, but for now lets just leave that out of the discussion.
    PSS - Another valid question might be why the mailbox server is in the Core instead of being in the DMZ.  Again lets leave that out of the discussion.
    #On-PremisesWAF(formerlySecuresphere)


  • 2.  RE: Help with client vs server traffic

    Posted 02-01-2021 15:30
    Edit: unable to upload a pdf or png screenshot to this forum.   So how about this:

    1) Traffic from a user on the Internet passes through the edge firewall going to the RedHat proxy server.  As the traffic is passing through the Securesphere what is the client and what is the server?

    User on Internet, with source IP 105.90.90.90, goes to https://mailbox.domain.com which has IP address 40.107.1.1
    Traffic passes through Edge firewall which NAT translates public IP 40.107.1.1 to private IP 172.16.1.1
    Traffic passes through Securesphere << what is client and what is server at this point?
    Traffic gets to RedHat reverse proxy server with IP 172.16.1.1

    Internet --> Edge firewall --> Securesphere --> RedHat reverse proxy server

    2)  The RedHat proxy server then initiates a connection to the mailbox server. As the traffic is passing through Securesphere what is the client and what is the server?

    RedHat reverse proxy server 172.16.1.1 needs to communicate to internal mailbox server.
    Traffic passes through Securesphere  << what is client and what is server at this point?
    Traffic passes through Edge firewall
    Traffic passes through Core firewall
    Traffic gets to Mailbox server with IP 192.168.1.1

    RedHat --> Securesphere --> Edge firewall --> Core firewall --> Mailbox server

    ------------------------------
    Thanks,
    Fred
    ------------------------------



  • 3.  RE: Help with client vs server traffic
    Best Answer

    Posted 02-04-2021 04:52
    Edited by Fred Percynski 02-09-2021 15:46
    Hi Fred,

    Firstly, you are suggested to read the User Guide about this topic if you haven't.
    https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/3097.htm


    To make it simple, I think you can understand it like this:
    In the network path, WAF is listening to requests from "Clients", and passing the request to "Servers".



    Let's move on to details.

    1)
    For WAF in reverse proxy modes, "Client" ports and SSL settings mean the "listening" interface that is facing the source of the incoming HTTP requests.
    (and "Server" settings refer to the outgoing interface, that is facing the "next stop" to which the HTTP requests will go after leaving WAF.)
    - Note that we are talking about HTTP requests. To avoid confusion, forget about HTTP responses when you are thinking about the directions.

    Taking your example,
    User from public (105.90.90.90), goes to https://mailbox.domain.com which has IP address 40.107.1.1, and with NAT to internal IP 172.16.1.1.
    - Let's assume that your server is listening to HTTPS traffic at the default port 443.

    User (105.90.90.90) ----> mailbox.domain.com (40.107.1.1) at port 443 ---- [WAF] ----> 172.16.1.1 listening at port 443

    Here, when the HTTP request comes to WAF, you expect WAF to listen to port 443 to "receive" the HTTP request from user side. ---> Client port = 443.
    Next, your internal server (172.16.1.1) is also expecting HTTP request at port 443. ---> Server Port = 443. 


    2)
    I have a question in the first place that, does your "RedHat reverse proxy server" communicates with the "internal mailbox server" by HTTP protocol?
    - If not, I guess you don't need to care about it.

    If yes, it depends if you are going to protect the mailbox server by WAF. Since in this case, the mailbox server is the "destination" of the HTTP request. "Destination of HTTP request" is the protected target of WAF.

    We may discuss further based on your answer.


    Hope it helps!


    ------------------------------
    Louis Tsoi
    Associate Consultant
    Cyberforce Limited
    ------------------------------