ZTNA application is returning redirect url with non standard port
search cancel

ZTNA application is returning redirect url with non standard port

book

Article ID: 434934

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

A web-application is failing to work via ZTNA because the redirect responses are pointing to the application with the client port rather than the server port.

For example the server returns:

Location: example.luminatesec.com:45161

Instead of:

Location: example.luminatesec.com

Environment

ZTNA

Cause

The application access via ZTNA is taking the information from the "X-Forwarded-Port" and uses it in the redirect url which is breaking the application.

Here is a sample http request output to a test Python server, via ZTNA, showing the headers added by ZTNA to the http request:

Internet Protocol Version 4, Src: 10.0.0.1, Dst: 10.0.0.2
Transmission Control Protocol, Src Port: 54242, Dst Port: 80, Seq: 1, Ack: 1, Len: 1443
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
    Host: 10.0.0.2\r\n
    User-Agent: Some user agent string\r\n
    Referer: https://example.luminatesec.com/\r\n
    Sec-Ch-Ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"\r\n
    Upgrade-Insecure-Requests: 1\r\n
    X-Forwarded-For: 127.0.0.1\r\n
    X-Forwarded-Host: python-web-server-app.example.luminatesec.com\r\n
    X-Forwarded-Port: 45161\r\n
    X-Forwarded-Proto: HTTPS\r\n
    Connection: close\r\n

Resolution

Because the header is added by ZTNA by default and is not available for deletion in the ZTNA application UI (Web application -> advanced -> request customisation fields) we need to add a custom header named "X-Forwarded-Port" with a white space (" " without the double quote in the value field) to avoid those redirect problems, as illustrated below (the space value is selected with the mouste to make it visible).

 

Powered by Wolken Software