[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOAPAction and Watchguard firewall

To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: SOAPAction and Watchguard firewall
From: Rgad@xxxxxxxxxxxxxxxxxxxxx
Date: Wed, 6 Sep 2006 09:24:46 -0500
List-help: <mailto:ftpapi-request@lists.scottklement.com?subject=help>
List-id: HTTPAPI and FTPAPI Projects <ftpapi.lists.scottklement.com>
List-post: <mailto:ftpapi@lists.scottklement.com>
List-subscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=subscribe>
List-unsubscribe: <http://www.scottklement.com/mailman/listinfo/ftpapi>, <mailto:ftpapi-request@lists.scottklement.com?subject=unsubscribe>
Reply-to: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Sender: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx




If you are doing SOAP web services and specify SOAPAction and have a
Watchguard firewall you should be aware that the SOAP headers may be
removed from the HTML when passed through the firewall.  I fought this
sucker for 4 days.  Following is what will appear in the HTTP log.

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
  <soap:Body>
    <soap:Fault>
      <faultcode>soap:Client</faultcode>
      <faultstring>System.Web.Services.Protocols.SoapException: Unable to
handle request without a valid action parameter. Please supply a valid soap
action.
   at
System.Web.Services.Protocols.Soap11ServerProtocolHelper.RouteRequest()
   at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
   at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response,
Boolean&amp; abortProcessing)</faultstring>
      <detail />
    </soap:Fault>
  </soap:Body>
</soap:Envelope>

To fix the problem the Watchguard .cfg file has to be changed as follows:


   1. Add the specific headers to the Watchguard configuration file. This
      is the recommended option because it is more secure than number 2.

      a) Open Firebox's configuration file (.cfg) with a text editor; you
      will find a list of allowed headers.

      b) Add the following headers to 2 lists in the file,
      default.proxies.http.known_headers
      and services.HTTP.proxies.http.known_headers. These are standard
      headers for
      MS .NET protocol.

      SOAPAction
      X-Powered-By
      X-AspNet-Version

      c) After editing, upload the .cfg file into Policy Manager and save
      the configuration to the Firebox.


   2. Turn off the Remove Unknown Headers setting in your HTTP proxy
      settings.This option is less secure, but can be done instead of
      option 1.

After applying the above change to the firewall the web service starting to
work using HTTP but fails using HTTPS with the same SOAP response as above.
Haven't run this down yet but it appears that the SOAPAction header is
missing when sending the request.  Following is what appears in the HTTP
log.

   09/06/2006 07:41:30 Serial Number:
   04:A2:38:5B:FB:8B:57:1F:A5:57:DF:F6:A4:36:15:C2
   09/06/2006 07:41:30 Common Name: testtrans.pg.secureexchange.net
   09/06/2006 07:41:30 Country: US
   09/06/2006 07:41:30 State/Province: Texas
   09/06/2006 07:41:30 Locality: Allen
   09/06/2006 07:41:30 Org Unit: Heartland Payment Systems
   09/06/2006 07:41:30 Org: Exchange
   09/06/2006 07:41:30 Issuer Org: VeriSign Trust Network
   09/06/2006 07:41:30 Issuer Org Unit: VeriSign, Inc.
   09/06/2006 07:41:30
   09/06/2006 07:41:30 Protocol Used: TLS Version 1
   09/06/2006 07:41:30 http_persist_post(): entered
   09/06/2006 07:41:30 http_long_ParseURL(): entered
   09/06/2006 07:41:30 do_post(): entered
   09/06/2006 07:41:30 POST /wswebservices/transact.asmx HTTP/1.1
   Host: testtrans.pg.secureexchange.net
   Content-Type: text/xml; charset=utf-8
   Expect: 100-continue
   Content-Length: 825

   09/06/2006 07:41:30
   09/06/2006 07:41:30 recvresp(): entered
   09/06/2006 07:41:30 HTTP/1.1 100 Continue


   09/06/2006 07:41:30 SetError() #13: HTTP/1.1 100 Continue
   09/06/2006 07:41:30 senddoc(): entered
   09/06/2006 07:41:30 <?xml version="1.0" encoding="utf-8"?><soap:Envelope
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xmlns:xsd="http://www.w3.org/2001/XMLSchema";
   xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><PostXML
 xmlns="http://tempuri.org/TransGateway/Transact";><clientid>966</clientid><siteid>99999999</siteid><priceid>464</priceid><password>password</password><ver>V5R2M0</ver><product>OS400
 ILE RPG
   IV</product><key>XXX-XXX-XXXX-XXXX</key><XMLData><request><cardnumber>1111111111111117</cardnumber><expmonth>07</expmonth><expyear>2007</expyear><cvv2>111</cvv2><amount>150.00</amount><firstname>JOHN</firstname><lastname>DOE</lastname><address>123
 STREET</address><city>RUSSELLVILLE</city><state>AR</state><zip>72811</zip><transtype>AUTH</transType></request></XMLData></PostXML></soap:Body></soap:Envelope>
   09/06/2006 07:41:30
   09/06/2006 07:41:30 recvresp(): entered
   09/06/2006 07:41:30 HTTP/1.1 500 Internal Server Error.
   Date: Wed, 06 Sep 2006 12:54:46 GMT
   Server: Microsoft-IIS/6.0
   X-Powered-By: ASP.NET
   X-AspNet-Version: 1.1.4322
   Cache-Control: private
   Content-Type: text/xml; charset=utf-8
   Content-Length: 848


   09/06/2006 07:41:31 SetError() #13: HTTP/1.1 500 Internal Server Error.
   09/06/2006 07:41:31 recvdoc parms: identity 848
   09/06/2006 07:41:31 header_load_cookies() entered
   09/06/2006 07:41:31 recvdoc(): entered
   09/06/2006 07:41:31 SetError() #0:
   09/06/2006 07:41:31 <?xml version="1.0" encoding="utf-8"?>
   <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
     <soap:Body>
       <soap:Fault>
         <faultcode>soap:Client</faultcode>
         <faultstring>System.Web.Services.Protocols.SoapException: Unable
   to handle request without a valid action parameter. Please supply a
   valid soap action.
      at
   System.Web.Services.Protocols.Soap11ServerProtocolHelper.RouteRequest()
      at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
      at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type
   type, HttpContext context, HttpRequest request, HttpResponse response,
   Boolean&amp; abortProcessing)</faultstring>
         <detail />
       </soap:Fault>
     </soap:Body>
   </soap:Envelope>

I don't think this problem is related to the firewall. In reviewing the log
it appears that the "SOAPAction:
http://tempuri.org/TransGateway/Transact/PostXML"; is missing on the header.

Note: The reason you are seeing date/time in the log is because I changed
the debug_write module to output a date/time when logging and also changed
the http_close module to not end debug logging.  This was causing the log
to be cleared if an error occurred in the XML parser and I was not able to
see the flow of all events.

Rusty Gadberry
Arkansas Data Services, Inc.
Makers of DOCS/400
501-327-8000 office
www.ark-data-services.com

This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message.  Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Follow-Ups:
- Re: SOAPAction and Watchguard firewall
  - From: Scott Klement

Prev by Date: תשובה: Re: utf-8 and length
Next by Date: Re: SOAPAction and Watchguard firewall
Previous by thread: תשובה: Re: utf-8 and length
Next by thread: Re: SOAPAction and Watchguard firewall
Index(es):
- Date
- Thread