[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SOAPAction and Watchguard firewall
If you are doing SOAP web services and specify SOAPAction and have a
Watchguard firewall you should be aware that the SOAP headers may be
removed from the HTML when passed through the firewall. I fought this
sucker for 4 days. Following is what will appear in the HTTP log.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>System.Web.Services.Protocols.SoapException: Unable to
handle request without a valid action parameter. Please supply a valid soap
action.
at
System.Web.Services.Protocols.Soap11ServerProtocolHelper.RouteRequest()
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type,
HttpContext context, HttpRequest request, HttpResponse response,
Boolean& abortProcessing)</faultstring>
<detail />
</soap:Fault>
</soap:Body>
</soap:Envelope>
To fix the problem the Watchguard .cfg file has to be changed as follows:
1. Add the specific headers to the Watchguard configuration file. This
is the recommended option because it is more secure than number 2.
a) Open Firebox's configuration file (.cfg) with a text editor; you
will find a list of allowed headers.
b) Add the following headers to 2 lists in the file,
default.proxies.http.known_headers
and services.HTTP.proxies.http.known_headers. These are standard
headers for
MS .NET protocol.
SOAPAction
X-Powered-By
X-AspNet-Version
c) After editing, upload the .cfg file into Policy Manager and save
the configuration to the Firebox.
2. Turn off the Remove Unknown Headers setting in your HTTP proxy
settings.This option is less secure, but can be done instead of
option 1.
After applying the above change to the firewall the web service starting to
work using HTTP but fails using HTTPS with the same SOAP response as above.
Haven't run this down yet but it appears that the SOAPAction header is
missing when sending the request. Following is what appears in the HTTP
log.
09/06/2006 07:41:30 Serial Number:
04:A2:38:5B:FB:8B:57:1F:A5:57:DF:F6:A4:36:15:C2
09/06/2006 07:41:30 Common Name: testtrans.pg.secureexchange.net
09/06/2006 07:41:30 Country: US
09/06/2006 07:41:30 State/Province: Texas
09/06/2006 07:41:30 Locality: Allen
09/06/2006 07:41:30 Org Unit: Heartland Payment Systems
09/06/2006 07:41:30 Org: Exchange
09/06/2006 07:41:30 Issuer Org: VeriSign Trust Network
09/06/2006 07:41:30 Issuer Org Unit: VeriSign, Inc.
09/06/2006 07:41:30
09/06/2006 07:41:30 Protocol Used: TLS Version 1
09/06/2006 07:41:30 http_persist_post(): entered
09/06/2006 07:41:30 http_long_ParseURL(): entered
09/06/2006 07:41:30 do_post(): entered
09/06/2006 07:41:30 POST /wswebservices/transact.asmx HTTP/1.1
Host: testtrans.pg.secureexchange.net
Content-Type: text/xml; charset=utf-8
Expect: 100-continue
Content-Length: 825
09/06/2006 07:41:30
09/06/2006 07:41:30 recvresp(): entered
09/06/2006 07:41:30 HTTP/1.1 100 Continue
09/06/2006 07:41:30 SetError() #13: HTTP/1.1 100 Continue
09/06/2006 07:41:30 senddoc(): entered
09/06/2006 07:41:30 <?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><PostXML
xmlns="http://tempuri.org/TransGateway/Transact"><clientid>966</clientid><siteid>99999999</siteid><priceid>464</priceid><password>password</password><ver>V5R2M0</ver><product>OS400
ILE RPG
IV</product><key>XXX-XXX-XXXX-XXXX</key><XMLData><request><cardnumber>1111111111111117</cardnumber><expmonth>07</expmonth><expyear>2007</expyear><cvv2>111</cvv2><amount>150.00</amount><firstname>JOHN</firstname><lastname>DOE</lastname><address>123
STREET</address><city>RUSSELLVILLE</city><state>AR</state><zip>72811</zip><transtype>AUTH</transType></request></XMLData></PostXML></soap:Body></soap:Envelope>
09/06/2006 07:41:30
09/06/2006 07:41:30 recvresp(): entered
09/06/2006 07:41:30 HTTP/1.1 500 Internal Server Error.
Date: Wed, 06 Sep 2006 12:54:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Content-Length: 848
09/06/2006 07:41:31 SetError() #13: HTTP/1.1 500 Internal Server Error.
09/06/2006 07:41:31 recvdoc parms: identity 848
09/06/2006 07:41:31 header_load_cookies() entered
09/06/2006 07:41:31 recvdoc(): entered
09/06/2006 07:41:31 SetError() #0:
09/06/2006 07:41:31 <?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Client</faultcode>
<faultstring>System.Web.Services.Protocols.SoapException: Unable
to handle request without a valid action parameter. Please supply a
valid soap action.
at
System.Web.Services.Protocols.Soap11ServerProtocolHelper.RouteRequest()
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type
type, HttpContext context, HttpRequest request, HttpResponse response,
Boolean& abortProcessing)</faultstring>
<detail />
</soap:Fault>
</soap:Body>
</soap:Envelope>
I don't think this problem is related to the firewall. In reviewing the log
it appears that the "SOAPAction:
http://tempuri.org/TransGateway/Transact/PostXML" is missing on the header.
Note: The reason you are seeing date/time in the log is because I changed
the debug_write module to output a date/time when logging and also changed
the http_close module to not end debug logging. This was causing the log
to be cleared if an error occurred in the XML parser and I was not able to
see the flow of all events.
Rusty Gadberry
Arkansas Data Services, Inc.
Makers of DOCS/400
501-327-8000 office
www.ark-data-services.com
This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------