Jump to content


Photo

SSL and 64bit browser

Started by Patrick Kennelly , 17 July 2017 - 09:06 AM
4 replies to this topic

Patrick Kennelly Members

Patrick Kennelly
  • 86 posts

Posted 17 July 2017 - 09:06 AM

We have NS v 10.5 and would appear that the APPFW policy is causing some errors for users who connect to the website using a 64bit browser.

 

Has anyone seen anything like this?

 

My website sits behind a Vserver that is nat'd to an external address and has an SSL cert on it.  the internal comms between the NS and the IIS server is just plain.

 

Do I need to have the APPFW policy on? I already have a firewall in place and the NS sits in between too.



Ross Bender Members

Ross Bender
  • 143 posts

Posted 17 July 2017 - 11:47 AM

It's not a bad idea to still use the appfw. It allows for more software defined security characteristics.

Are there certain keywords that the browser is using that are triggering the appfw? Perhaps check the learned rules to see if the browser's user agent or other properties are triggering a WAF hit.

Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 17 July 2017 - 12:16 PM

Are you clear on the difference between AppFW and regular firewall? A regular firewall operates at Layer 4, which means it allows or denies port numbers. NetScaler AppFW inspects HTTP Requests (Layer 7) and allows or denies them. The firewall rules are application specific, so it's unlikely that one AppFW configuration would work for more than one website. You generally need to go through a learning and testing process for each website to make sure AppFW doesn't block anything legitimate.

Patrick Kennelly Members

Patrick Kennelly
  • 86 posts

Posted 17 July 2017 - 01:12 PM

Yes I am clear on the difference, its an odd problem. I cant see any untoward and the policy has worked for a long time, I think its since the most recent firmware upgrade we have had the problem



Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 17 July 2017 - 01:40 PM

Syslog should show you if the AppFW Policy/Profile is blocking anything.