Upgraded to 3.1, URL wildcards not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Upgraded to 3.1, URL wildcards not working

L4 Transporter

Just upgraded to 3.1.0 from 3.0.6.

I had the following URL filtering profile that I used on an inbound rule with SSL decryption so that people could only connect to valid Exchange/Outlook Web Access URLs:

webmail.ourdomain.co.uk/favicon.ico

webmail.ourdomain.co.uk/Exchange

webmail.ourdomain.co.uk/Exchweb

webmail.ourdomain.co.uk/Microsoft-Server*

webmail.ourdomain.co.uk/OMA

webmail.ourdomain.co.uk/public

webmail.ourdomain.co.uk/rpc

When I upgraded that rule stopped working, which I found is because the wildcard syntax has changed in 3.1.

The issue is that it seems the PAN truncates the entire URL that is fed to the Exchange server so I can't filter on the full length virtual directory name which is /Microsoft-Server-Activesync, if I add that to my URL policy I see blocks in the URL logs for:

URL: webmail.ourdomain.co.uk/microsoft-server-activesync?user=joe&devic

URL: webmail.ourdomain.co.uk/microsoft-server-activedeviceid=imei35766301

How do I fix this please?
4 REPLIES 4

L5 Sessionator

In the change in 3.1.x  wildcards need to be preceeded or followed by the following separators:

      .

     /

     ?

     &

     =

     ;

     +

Every substring that is separated by the characters listed above is considered a token.  A token can be any number of ASCII characters that does not contain any separator character or *.  For example, the following patterns are valid:

*.yahoo.com   (tokens are *,  yahoo, and com)

www.*.com   (tokens are www, *, and com)

www.yahoo.com/search=*    (tokens are www, yahoo, com, search, * )

*webmail.ourdomain.co.uk/Microsoft-Server** is invalid because "*" is not the only character in the token  ie "*webail" and "Server**".  Without valid separators you filter won't work. 

Thanks for the reply.

I had read that, the problem is that the PAN won't recognize the true URL it seems to truncate it.

The actual virtual Exchange directory would be "webmail.ourdomain.com/Microsoft-Server-Activesync" but if I enter that I see blocks because as per the log entry that I posted, the PAN seems to truncate the entire URL.

I could simply list webmail.ourdomain.com but the whole idea here is that I want to only allow access to the legitimate Outlook/Exchange Virtual Directories in IIS.

Its possible that this is a bug because it shouldn't be truncating.  Please open a case with your support on this one.

Have done (Vadition).  Presumably there are other customers using a PAN to reverse proxy Exchange/OWA?  I can't imagine I'm trying to do anything unusual so if anyone's reading who is doing this, be interested to know your config.

  • 2444 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!