WSS Administration done via UPE.
SAML authentication is enabled for all users accessing WSS services explicitly.
Users browsers point to proxy.threatpulse.net(8080) users are never redirected to the configured SAML IDP server for authentication.
Browser plugins such as SAML Tracer / Developer tools show that when accessing any web site via WSS, user is correctly redirected to https://saml.threatpulse.net:8443 before seeing timeout errors such as the following:
UPE Managed WSS tenant
On premise Proxy has DNS restrictions
DNS restrictions pushed out to WSS tenant
DNS lookup restrictions pushed out to WSS tenant
Disable DNS restrictions via UPE, or keep the DNS restrictions but define exceptions for threatpulse.com domain as shown below:
Prior to this change, the policy pushed out included the following CPL that was causing WSS to fail and complete the authentication:
restrict dns
. ; all
end
restrict rdns
all
end
The /HTTP/DEBUG output on the proxy gives a clue as to DNS being engaged (DoH). With DNS clue, we could identify the DNS restrictions and validate issue related.
// Working
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 Returning 200 OK for CONNECT
5821.752 HTTP Explicit HTTP DEBUG HTTP CW 10E0D5DFA40 [Return_http_message]
5821.752 HTTP Explicit HTTP DEBUG HTTP CW 10E0D5DFA40 [Set_transaction_icap_response_info]
5821.752 HTTP Explicit HTTP DEBUG HTTP CW 10E0D5DFA40 [Return_http_status]
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 CONNECT URL destined for cert auth service 'SAML_realm_service' at 199.19.250.205:8443
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 CONNECT URL (after DNS resolution) destined for service 'SAML_realm_service' at 199.19.250.205:8443
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 Looking for secure service at '199.19.250.205:8443' (idx=0):
5821.752 HTTP Explicit HTTP DEBUG HTTP CW 10E0D5DFA40 [Handoff_local_service]
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 request from: 10.230.0.37, URL: tcp://saml.threatpulse.net:8443/
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 ClassificationID: 13
5821.752 HTTP Explicit HTTP DEBUG HTTP CW 10E0D5DFA40 [Determine_flow]
5821.752 HTTP Explicit HTTP INFO HTTP CW 10E0D5DFA40 SET_FUNCTION_PTR: CW_Object::Determine_flow line: 954
// Non working
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 Returning 200 OK for CONNECT
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Return_http_message]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Set_transaction_icap_response_info]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Return_http_status]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Detect_tcp_tunnel_protocol]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Set_up_http_connect_tunnel]
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 SET_FUNCTION_PTR: CW_Object::Set_up_http_connect_tunnel line: 4491
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 Choosing tunneled request flow
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Determine_cacheability_flow]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Handoff_RTMPT_Request]
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 DoH handoff bypassed
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 DoH: (not detected). Unsupported method 65538
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Handoff_doh_request]
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 application name = none
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 Could not determine service for tcp://saml.threatpulse.net:8443/
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Handoff_local_service]
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 request from: 10.230.0.30, URL: tcp://saml.threatpulse.net:8443/
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 ClassificationID: 13
5344.615 HTTP Explicit HTTP DEBUG HTTP CW 10DB62A5A40 [Determine_flow]
5344.615 HTTP Explicit HTTP INFO HTTP CW 10DB62A5A40 SET_FUNCTION_PTR: CW_Object::Determine_flow line: 954