You are viewing limited content. For full access, please sign in.

Question

Question

Lookup Rules Traffic

Forms
Updated October 19, 2022
asked on October 13, 2022

Having an odd issue with a client.  We have a forms process developed that have a few lookup rules.  Nothing big, a table return as well as an address list.

The datasource for these is local to the Forms server.  Its a different database but the same SQL server as Forms.

Everything works just fine from the server and from various computers on the City network.

However, we found that the lookup fails on workstations on the Police side of things.  Turns out that they are on the State's network and not the City network.  There certainly must be communication between the two because users are able to access Forms, their Inbox, and open tasks with no problem.

To clarify, by "lookup fails" I mean if I am on the City network, I click in the address field and get a list.  If on the State network, I click in the same address field and nothing comes back so its for sure the lookup rules not working.

Does anyone know what ports or what could be being blocked between the two networks?  It's odd that everything works fine except for the lookup rules.

Thanks,

Chris

0 0

Answer

SELECTED ANSWER
replied on October 19, 2022

Posting the resolution here that was found:

So Jason, they do have a DMZ (which we knew).  What no one noticed that on some machines, there was a URL re-direct.  It would direct some people to the external URL while others internal.  They are so close to the same no one noticed.  


The datasource configuration is using a windows account that is pointing to a servername.

The servername from the outside is not a thing. I also don't believe the windows account would work from the outside either.

I tested the datasource from the external page and it failed.  I updated it to use IP and a local SQL account and got a success.  

So in all, there was a sneaky URL redirect that would send some users outside to where the configuration of the datasource was invalid.

 

0 0
replied on October 19, 2022

I had a feeling lol.

0 0

Replies

replied on October 13, 2022 Show version history

What type of credentials is the Forms data source using?

Are the Police users accessing Forms using the same URL as internal users, or are they accessing it from another instance, such as a public-facing instance in the DMZ?

 

Forms should be handling all the lookups internally, so the user's network is less important than the actual Forms instance/server they are accessing.

As an example, I can log into both our internal/external instances of Forms with the same credentials, but I can only use automatic Windows Authentication from the inside because the DMZ server isn't on the domain.

 

My first guess is that the data source in Forms is configured with a Domain account for the credentials and that the Police are accessing a public-facing instance of Forms.

When a lookup uses domain credentials, it will work just fine within the network (i.e., when you are accessing Forms from a server that's on the same domain).

However, the lookups could fail from a Forms instance hosted on a server that is not part of the domain (i.e., a server in the DMZ) because it can't authenticate those credentials.

If that is indeed what is happening, the solution would be to configure the data source with SQL Login credentials, instead of a domain account, so the lookups will function even if the host server is not on the domain (because the SQL credentials are not domain-specific).

1 0
View 1 previous reply
replied on October 14, 2022

Thanks for the response Jason.  They are accessing the same exact URL as everyone else.  Same Forms instance.  What's more odd is that it seemed to be working last week as the user was testing.  Then went to test this week the lookups stopped working.  

I guess once I get some more info I will have to start a case.  I know Forms handles the lookup but something is clearly being blocked.

As another test, their IT person logged into the Form from his workstation and saw the dropdown.  Then went to a Police machine and logged in and it failed.  Same user, same form, same URL.

0 0
replied on October 14, 2022

I'd start by checking for error messages on (a) the lookup network calls in DevTools from the user side and (b) the Forms server event logs. If you have a SQL login error or anything to that effect, it would likely show up there.

0 0
replied on October 14, 2022

Oh, thought. Do Police machines run their traffic through a forward network proxy that performs security filtering? I've seen a Web Application Firewall (WAF) performing traffic inspection throw false positives for SQL injection attacks on legitimate Forms lookup network calls and block them.

If the Police machines use a proxy, the (likely) easiest way to test the theory is temporarily disabling use of proxy on a test Police machine, opening a fresh session, and then seeing if the lookups go through. You might also be able to tell from looking at the network calls in DevTools - a proxy blocking the calls will either show them failing to return (timeouts) or have an error response returned by the proxy.

The most surefire way to check is having someone with access to the proxy logs check if they show blocked any traffic to your Forms URL.

1 0
replied on October 14, 2022

Thanks Sam, I started a case.  Nothing in the logs that points to a lookup error.  The datasource and all service realted items are using the same account.

I will suggest them checking those items while I am getting the HAR traces.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...