Imperva Cyber Community

Expand all | Collapse all

SSL VPN behind on-prem WAF

  • 1.  SSL VPN behind on-prem WAF

    Posted 21 days ago
    Looking for advice on how to troubleshoot a problem when using Securesphere on-prem WAF in Transparent Reverse Proxy mode.
    We have a Pulse Secure SSL VPN appliance connected to the WAF.  A user on the Internet initiates an http connection to the VPN appliance.  This traffic goes through the WAF and then to the VPN appliance.  Once logged into the VPN the user clicks a link to initiate an RDP session to an internal workstation.   The RDP traffic also goes back through the WAF to reach the internal network.   When the WAF is running in bridged mode the RDP session works fine.  But when the WAF is running in TRP the RDP session is never established.   Something on the WAF is blocking the RDP traffic and I don't have enough experience to know where to look or how to troubleshoot.  Any ideas are appreciated.

    I'm aware of Imperva's official position that they don't support VPN products because they can't "speak" VPN.   But the fact is we get a lot of value by having the WAF protect the VPN site.  The WAF blocks known malicious IPs, etc..   So we would like to continue using the WAF but need it to work in TRP.   The reason for switching from bridged mode to TRP is to allow the VPN to use DHE ciphers.

    -Fred

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Fred
    ------------------------------


  • 2.  RE: SSL VPN behind on-prem WAF

    Imperva Employee
    Posted 21 days ago
    Hi,

    VPN connections are NOT supported by our WAF GW - as mentioned in this KB - https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Does-Imperva-WAF-support-VPN-traffic  

    When we detect RDP protocol we are blocking it as non HTTP protocol. In bridge mode (TRP the samewe are unable to decrypt the traffic so we just short circuiting it.

    Thanks,

        Eyal



    ------------------------------
    Eyal Gur
    ------------------------------



  • 3.  RE: SSL VPN behind on-prem WAF

    Posted 20 days ago
    Hi,

    I am aware that "officialy" the VPN connections are not supported by the WAF GW.  However when we use the WAF GW in bridged mode everything works perfectly fine.  Do you have any insight about what the WAF GW is doing in TRP mode that causes RDP traffic to break?  

    Also according to the notes in this document (https://docs.imperva.com/bundle/v12.6-web-application-firewall-user-guide/page/3097.htm?_ga=2.135997874.2047178774.1593008236-538298162.1586896570) "All traffic not directed to one of the specified Ports on Server IP address is bridged and inspected according to the server group, service and application applied rules.".    The only port we have added to the Server IP is 443.  Since RDP is using port 3389 shouldn't that traffic be bridged?

    ------------------------------
    Fred Percynski
    Third Federal Savings and Loan
    Cleveland OH
    ------------------------------



  • 4.  RE: SSL VPN behind on-prem WAF

    Imperva Employee
    Posted 19 days ago

    This is basically an tunneling encapsulation , so the traffic between two vpn's endpoints goes thru 443 port .

    In bridge it is short-circuited; however, in TRP mode as this is using reverse proxy on top of bridge we cannot short-circuit before we have headers and since in RDP three are no headers we block the traffic.

    Thanks,

        Eyal



    ------------------------------
    Eyal Gur
    ------------------------------



  • 5.  RE: SSL VPN behind on-prem WAF

    Community Manager
    Posted 21 days ago
    @Fred Percynski thank you for the post. Also, thanks @Eyal Gur for the comments. It looks like another customer asked this question previously. Please take a look below.

    Also, You can create a feature request hereOther customers can vote on this idea and the PM's will asses it and make decisions from there.  


    Question:
    Does Imperva WAF support VPN traffic?

    Answer: 
    Imperva has received inquiries regarding the ability to support VPN traffic, mainly those VPN connections using HTTPS, through the WAF. This the current Imperva position for supporting inspection of VPN connections using the Imperva WAF.

    The Imperva WAF solution protects our customers applications that are accessed using the HTTP or HTTPS protocols. This current support model expects that the connection is established with these protocols and follows those protocol requirements throughout the connection, including connection termination.

    Imperva tests and verifies every aspect of these HTTP(S) application connections before it will announce support. Without the proper vetting Imperva cannot and will not announce support for a protocol flow. To that end Imperva has never tested or verified inspection of VPN connections when that data flow traverses the Imperva WAF. Therefore Imperva is not able to support this type of data flow.

    At the current time Imperva does not support any level of inspection for VPN connections.


     ​​

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------