Esxi host behind waf. Esxi console (cannot connect), always getting 404 for "/ticket/...." path. How to get it working?

Salut, Daniel, and welcome to the UTM Community!

Please show the corresponding line from the log file when you see the 404 message.

Cheers - Bob

Hi, here is an example

Note: public ip and server addreses have been replaced in this post with <public_ip> and<server_address>

Path /ticket/* always running to 404 behind waf, otherwise, without waf it works just fine

/var/log/reverseproxy.log:2017:09:22-08:54:19 daf-utm httpd: id="0299" srcip="<public_ip>" localip="192.168.100.18" size="0" user="-" host="<public_ip>" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="15898" url="/ticket/8267abdebc8cccc9" server="<server_address>" port="443" query="" referer="-" cookie="vmware_client=VMware; vmware_soap_session=\"a298de2cef58024dd483bd8987d4a27d842213b7\"" set-cookie="-" uid="WcSli8CoZBIAABh3dkEAAADF"

Are there additional log entries preceding this one?  There should be one or more lines, in a different format, that indicate which WAF rule is firing.

If you have url hardening enabled, you may have to experiment to find all the paths that need to be configured as entry points.

Are there additional log entries preceding this one?  There should be one or more lines, in a different format, that indicate which WAF rule is firing.

If you have url hardening enabled, you may have to experiment to find all the paths that need to be configured as entry points.

Hi,

There is no additional log entry preceeding this one.

Initially i had some rules triggered but i have added all to exception list. Even with no firewall profile i get 404.

Url hardening is disabled.

Any other ideas?

If Doug's suggestion of adding a path doesn't help, what does Sophos Support say?

Cheers - Bob

I would really love to hear what Sophos Support has to say. I have a Home license, therefore I have no support, except community.

I'm also thinking about the possibility that wss protocol is used for some things and might not be supported by UTM, but this would be crazy since wss is standard since very long time ago and most of the UTM alternatives are supporting it without any problems.

As far as I understand, WAF looks for clean HTML traffic.  If the VMWare client is using a proprietary protocol underneath the HTTPS session, then WAF is probably not the right tool for you.

SSL VPN is probably an alternative to consider.   You don't really need to protect against hostile content after the session is established, since presumably the VMWare client should be able to talk to the VMWare server safely.   SSL VPN is a way of preventing unwanted clients from gaining access, especially if it is linked with One-Time Password or with remote IP address restrictions.

Hi,

I'm not referring to any proprietary protocol, it's possible that create host ui uses websocket (ws/wss) which is standard since long time ago and it is used at large scale, at least on html5 websites.

I'm also not talking about any create client. I'm referring to vmware host ui (web) behind wan and  accessed via browser from outside.

Hi,

Do you have any news?

My problem is still not answered.

Thank you

Daniel, I don't think websocket is supported.  You might look in Ideas to find the suggestion to add it so you can vote for and comment on that.

Cheers - Bob