You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Details of DMZ Server Error base information disclosure when type https://domain/forms

Version 11
Updated May 6, 2024
posted on May 4, 2024

 

When accessing DMZ forms online, they load correctly. However, when I append "domain/forms" to the URL, the details of the DMZ server are denied display, and it redirects to the LFDSST for login. Is there a method to block and prevent the display of DMZ details? Thank you.

 

0 0
replied on May 6, 2024

From the information you've provided, this appears to be a normal authentication redirect that's generating the return URL based on the Laserfiche Forms Host URL configuration value.

Under Laserfiche Forms Host URL, type the fully qualified domain name of your Laserfiche Forms Server, in the format //ServerName:port/Forms. This is the URL that the Directory Server STS will redirect users to after they successfully authenticate.

I believe there may be an advanced Forms configuration setting to provide a separate "Forms DMZ URL" for those redirects. If this DMZ Forms instance should only have unauthenticated access (only used for Public forms), and there's no reason for anyone to authenticate through the DMZ route, you can modify the DMZ Forms web.config file to redirect all auth requests to a URL of your choice, like an organization homepage such as https://example.com. See attached image. 

That may not entirely remove the generated return URL parameter, but it'll likely keep it from displaying in a browser address bar.

1 0
replied on May 5, 2024

Hi Abhishek,

Do you mean when you are accessing the DMZ forms, it will redirect to LFDSSTS login page, which exposes the forms server name?

0 0
replied on May 5, 2024

HI Zhiyong Deng

Although it redirects to the login page, as it's offline, the page isn't accessible, yet it still reveals the server's name.

0 0
replied on May 5, 2024 Show version history

so do you mean even when you are accessing the DMZ forms site, which is already offline (here offline means the FormsAppPool is stopped, or the machine is power off?), it still redirects to LFDSSTS again, and expose your internal Forms server name? If that's the case, could you contact our support team, see if we can give you some help

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...