Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

message security over http

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

message security over http

L4 Transporter

How does PA handle message security over http ?

Whereas https secures the communication, message security secures the content.

 

I would expect PA does not touch http content. But we are having issues with an application that connects to a partners server.

 

Application throws this error, I guess it's a pretty default .net error:

An error occurred while receiving the HTTP response to http://blabla/blablaConnectorHostService.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down).

 

Partner says it has something to do with large transfers that get interrupted. I'm guessing it happens somewhere on the firewall.

16 REPLIES 16


@dieterb wrote:

Where can I find application specific timeouts ?


nevermind, found it (Objects -> Applications)


@dieterb wrote:

@TranceforLife wrote:

This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration


We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases.


Ok, problem is indeed related to user-id: http traffic triggers an NTLM authentication request (if there's no user-ip-mapping) on the firewall. Application did not know how to handle that and resets session.

 

The trick was to put the client's fixed IP address in the exclude list for user identification for the zone. Not only in the user-id agent exclude list and/or PA user-id exclude list (what most of the time just worked because it was no http traffic).

Now the firewall doesn't ask for NTLM auth and traffic passes fine.

 

I also found out that it's not possible to disable NTLM entirely, is that correct ? Maybe because of captive portal ?

  • 7682 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!