search cancel

Geolocation based rules not applying correctly to WSS users

book

Article ID: 242991

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing Web via WSS using multiple access method including IPSEC, explicit and agents.

GEO and risk license enabled on tenant allowing admin to apply GEO location based rules

A geolocation block from requests initiating from Country X for any destinations/sites need to be applied within the company due to local regulations. The following summarises the rule in place:  

- Source: Geolocation (Country X)
- Destination: Any
- Limit: Any
- Verdict: Block

Users from country X are allowed to access resources through WSS.

 

Cause

GEO based policies will only work with access methods that show the public, non RFC1918, IP addresses

Environment

WSS with multiple access methods

GEO restrictions

Resolution

Make sure that users coming into WSS from Country X use an access method that shows their public IP addresses. With IPSEC access method, the inbound requests into the Proxy originate from non routable RFC1918 IP addresses, which our GEO based policies cannot resolve to a specific country. 

In the above example, corporate traffic from country X was being backhauled into an IPSEC router at a different location and into WSS - internal routing should have blocked that at source.

If the GEO policy blocks access to specific rather than all sites, then switch access methods from the Country X and use WSS agents on hosts there.

Additional Information

Here are some example HTTP access log entries for key access methods, showing the ingress IP address that the proxy sees with each request:

// IPSEC access method - shows RFC1918 IP address that WSS cannot use to determine source country

2022-06-02 08:37:08 "DP1-GROBU1_proxysg1" 5 10.149.210.62 Unauthenticated%20User - - OBSERVED "Technology/Internet" - 200 TCP_NC_MISS GET application/octet-stream http dl.delivery.mp.microsoft.com 80 /filestreamingservice/files/ac25c2d8-c06c-4fc4-bb7a-f933621a5989/pieceshash - - "Microsoft-Delivery-Optimization/10.0" 168.149.148.1 1911 313 - - - - 465048 "BCOM Loc" firewall_vpn "Microsoft Update" "Update Software" 94.14.221.240 "United Kingdom" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 94.14.221.240 - - - - - - - - - - - - - - - - - - - - - 235c50b82132299b-0000000019e722f6-00000000629876b4 168.149.148.1 168.149.148.1 "RO" "Romania"

// Explicit access method - shows public IP address that WSS can use to determine source country

2022-06-02 08:46:03 "DP1-GROBU1_proxysg1" 1 181.13.121.112 - - wss_latency_checker DENIED "Web Infrastructure" - 200 TCP_DENIED GET - http list.bluecoat.com 80 /ClientLatencyMon.htm - htm "PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3" 192.168.1.84 16054 221 - - - - 467465 "explicit-gdefr1-gdefr11-gdefr2-gchzu1-g" explicit_proxy "-" "-" 168.149.132.101 "Belgium" - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - - - - - - - - - - - - - - - - - - - - 235c50b82132299b-0000000019eb321d-00000000629878cb - - "Invalid" "Invalid"

// WSS Agent access method - shows public IP address that WSS can use to determine source country

2022-06-02 08:47:11 "DP1-GROBU1_proxysg1" 425327 162.14.57.34 BCOM\User1 "BCOM\Group1" - OBSERVED "Finance" - 0 TUNNELED unknown - ssl remote.nedbank.co.za 443 / - - - 168.149.148.1 11582 6794 - - - - 0 "client" client_connector "-" "-" 16.14.196.62 "South Africa" CERT_VALID none - - TLSv1.3 TLS_AES_128_GCM_SHA256 128 remote.nedbank.co.za "Finance" TLSv1.3 TLS_AES_128_GCM_SHA256 128 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 16.14.196.62 "South Africa" - "Montenegro" 2 2 unified-agent architecture=x86_64%20name=Windows%2010%20Enterprise%20version=10.0.19044 4.10.3.225009 162.14.57.34 612fe55e-0687-47ad-aa5c-fc677a55346c EMEABGDLT729 - - - - - - - - - 2001:0DB8:1f90:0ec5:708c:320c:21a4:08a0 235c50b82132299b-0000000019ebaa73-0000000062987765 16.14.148.3 16.14.148.3 "RO" "Romania"