Redirect loop when using defender for cloud apps application control (reverse proxy)

[KevP]

I'm trying to use Microsoft Defender for Cloud Apps Conditional Access App Control (MDCA CAAC) CASB solution (also called MCAS session control).

I'm already using Mellon auth for Azure AD authentication on the Apache server which works fine.

CAAC is supposed to work seamlessly with most web interfaces, and was for a good while, but now some pages work and others go in an endless redirect loop. It keeps redirecting to:
index.pl?Action=PreLogin&RequestedURL=<the unproxied version of the URL requested>

Is there any way to prevent Znuny from enforcing these redirects?

[root]

Hi,

No, there is no setting to prevent this. The client accesses an URL that requires a login. If no session can be detected, the authentication is triggered and the initially requested URL is "stored" in the URL param.

It is unclear to me if Znuny is used by two different FDQNs. This might become a problem. Make sure that it is only one FQDN s used and this is properly set in the system configure (together with HttpType).

- Roy

[KevP]

Thanks Roy,

So from what I understand Znuny can never with with a CASB reverse proxy in front of it, as I understand all CASB session control reverse proxies use one generated FQDN for external traffic from the browser to the proxy and the original service FQDN for "internal" traffic from the proxy to the web server.

Should I give up on session control of Znuny?

[root]

Hi,

I do not know the exact details of how a CASB reverse proxy works, and I don't need to. And before you ask: I will only read it if a customer requests this. From over 20 years, I can tell you it was always misconfiguration on the reverse proxy when it did not work.
In your situtation I would also ask if the loop might be introduced by mod_auth_mellon. Enable LogLevel debug on the web server and use a SAML tracer to check this.

- Roy

[KevP]

Roy,

Thanks a million for helping look into this.

I think I've found a key piece of evidence when going through the CASB solution:

Znuny-javascript-and-Browser-error.png

Those 302 redirects obviously don't show when loading directly.

So I fired up mod_forensic and looked at the request parameters for each thinking these may be how Znuny determines browser capabilities, but didn't find anything:

Direct:

Code: Select all

Accept-Encoding:gzip, deflate, br
Accept-Language:en-GB,en;q=0.5
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection:keep-alive
Cookie:OTRSAgentInterface=HpN2TLxxxxxxxxxxxxxxxxxxk2ZCPPn; mellon-cookie=777d5xxxxxxxxxxxxxxxx45c586d2d4
DNT:1
GET /znuny/index.pl?Action=AgentTicketZoom;TicketID=90 HTTP/1.1
Host:xxxxxx.yyyyyy.com
Referer:https%3a//xxxxxx.yyyyyy.com/znuny/index.pl?
Sec-Fetch-Dest:document
Sec-Fetch-Mode:navigate
Sec-Fetch-Site:same-origin
Sec-Fetch-User:?1
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv%3a109.0) Gecko/20100101 Firefox/115.0

via CASB:

Code: Select all

accept-encoding:gzip, br
accept-language:en-GB,en;q=0.5
accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
cookie:OTRSAgentInterface=5fSd5FGuxxxxxxxxxxxxxxxxxxxxxOXHEtU; mellon-cookie=e32dxxxxxxxxxxxxxxxxxxxxxa6092cc
dnt:1
Forwarded:for=55.55.55.55;proto=https;by=MS-CAAC
GET /znuny/index.pl?Action=AgentTicketZoom;TicketID=90 HTTP/1.1
Host:xxxxxx.yyyyyy.com
sec-fetch-dest:document
sec-fetch-mode:navigate
sec-fetch-site:none
sec-fetch-user:?1
upgrade-insecure-requests:1
user-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv%3a109.0) Gecko/20100101 Firefox/115.0
x-mcas-forwarded:true

So I think it may be some javascript itself in the itself. Can I ask what criteria would trigger this message to be displayed? Looking through Kernel/Output/HTML/Templates/Standard/Login.tt and other code it looks like this only shows up if Core.App.BrowserCheck('Agent'); returns false.

Any thoughts on this would be greatly appreciated. As this is happening even after authentication it's leading me away from auth_mellon being the root cause. I'd love to get this working for me and others.

[KevP]

Actually I just realised that it's likely that auth_mellon isn't passing the username to Znuny correctly and that's why it's redirecting to the authentication page repeatedly. I'll look into this now and try to debug.

[KevP]

Okay I've confirmed that the correct username is being passed for all requests in the Remote User variable (LogFormat %u), so this isn't the issue.

[root]

Hi,

A problem could also be the cookie domain. If the cookie domain differs from the one in the URL the browser might not set/return the correct cookie value.

- Roy

[KevP]

The proxy modifies all URLs and cookies in real time before sending them to the web server, so this shouldn't be an issue.

If you're interested: https://learn.microsoft.com/en-us/defen ... trol-works

[KevP]

Going to learn how to debug Znuny and dive in...