You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Admin Console uses non-SSL'd communication when "Connect with SSL" is selected.

Laserfiche Security
Updated October 28, 2014
posted on September 18, 2014

With a cloud/internet hosted solution, it's critical to ensure that no end user accidentally connects to the LF server over the internet with an un-encrypted connection.  When clients use WebAccess, this is easily enforceable at the server via IIS configuration for enforcing HTTPS connections and redirecting non-HTTPS’d connections. But for the LF desktop, there’s no server side enforcement mechanism.  

 

This is discussed in other "answers" topics, and the recommendation is to implement a setting in the registry of client machines that enforces HTTPS/SSL’d connections only.  But there are many scenarios where the client is unwilling or unable to manage that across their entire deployed base of LF desktop clients.   In this event, the recommendation then is to block inbound TCP 80 to the LF server at your firewall. 

 

While this works successfully to ensure LF Desktop Clients can't connect over an unencrypted connection, it then breaks the ability to use the desktop LF Admin Console… which we find users still prefer to use over the WebAdmin solution. 

 

This is true EVEN when you tell LF Admin to connect to an LF Server using SSL, because as part of initializing the connection to a repository, the admin console still makes a connection over TCP 80.

 

Using Wireshark to analyze the traffic, I find this pattern of communication occurs before you actually get to the point of being prompted for a login to a repository:

 

1) admin console <=== TCP 443 ===> LF Server

2) admin console <=== TCP 80 ===> LF Server

3) admin console <=== TCP 443 ===> LF Server

 

The second communication appears to request data about the repository’s configuration, and the response is a MIME formatted response described as "application/vnd.laserfiche.report". 

 

Without that data, the admin console fails to progress to step 3, which is where you get the prompt to log into your repository.  So you get...

 

1) admin console <=== TCP 443 ===> LF Server

2) admin console <=== TCP 80 ===X (blocked) LF Server

... and never progresses to connecting to the repository

 

So... blocking port 80 to ensure no accidental unencrypted client connections works fine, but breaks admin console connectivity.

 

That communication in step two determines the destination port dynamically, so changing LF Server's "listening port" value from 80 to something non-standard, like port 81, you'll see:

 

1) admin console <=== TCP 443 ===> LF Server

2) admin console <=== TCP 81 ===> LF Server

3) admin console <=== TCP 443 ===> LF Server

 

This works fine, but requires you to deviate from common ports to non-standand ports, and make one-off FW rules to accommodate this solution.

 

That's all do-able, but the real question is.. why does the admin console make an HTTP/TCP80, non-SSL’d connection in the middle of a communication that it was told to use SSL for? 

 

Am I missing something here?   Or is there a solution (other than what I've described above with my port 81 example) that meets the requirements of:

 

a. ensuring no un-encrypted desktop client connections can occur

b. keeps the admin console working without switching LF server listening port to non-standard.

 

This becomes increasingly relevant with more users moving to cloud based hosting of their LF installations.

1 0
replied on October 27, 2014

Is there a way to know the timeline for an update that includes a given SCR?  I'm specifically asking with regard to the SCR noted in this discussion topic, SCR 120647, but am also curious more broadly for any given SCR. 

Thanks. 

0 0
replied on October 28, 2014

We don't have an SCR portal as those simply have too much variance. We may intend to target an SCR for a particular release or service pack and then find out we can't actually address it without other changes that won't be present until a future version. Or we may find that it introduced other regression issues and need to pull it for the time being.

As to your specific item, SCR 120647 is currently targeted for inclusion in an upcoming 9.1.1 service pack that we'd like to have avaliable in the next 2-4 weeks. See all the above caveats about SCR timeframes though, of course.

1 0
replied on October 9, 2014

Just an update for anyone following this topic...   I did ultimately open a support ticket on this, and after providing LF tracing and network captures, I received the following update noting an SCR was opened on it: 

"Basically if port 80 is blocked, the Admin console is reverting back to HTTP when in should be using SSL. The result of which is you cannot get a repository listing. The SCR for your reference is 120647. We will let you know when the status of the SCR changes."

0 0
replied on October 9, 2014

Just to clarify, this doesn't happen in all cases. The admin console incorrectly reverts to HTTP if you are logged into windows as a user that the LF server doesn't recognize. If you are on the same domain as the Laserfiche server, the SSL connection should work properly. This has been fixed and we will look into releasing a patch.

2 0
replied on October 9, 2014

Thanks for the additional clarification.  I was wondering why you all couldn't reproduce it in your environment, but that makes sense now.  

0 0
replied on September 18, 2014

What version of the admin console is this? I'm pretty sure we tested SSL with port 80 blocked.

0 0
replied on September 18, 2014

9.1.1.486

0 0
replied on September 18, 2014

We tried this with the latest 9.1 admin console and it works for us with port 80 blocked (and it doesn't attempt any port 80 requests). Please open a support case so we can further troubleshoot the issue.

0 0
replied on September 18, 2014

The most useful thing for debugging this is a client-side trace, which you can enable from the client in Help->About->Tracing->LFSO Tracing & WinHTTP tracing. Turn this on, reproduce the problem of LFAdmin not being able to connect with port 80 blocked, and provide the trace logs to support.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...