Secure Remote Access Portal – Web Application Firewall (WAF) Allow Policy Guidance

Products Privilege Secure Discussions & Questions
,
1

Recently, I received an inquiry regarding the types of traffic that must be permitted through a Web Application Firewall (WAF) to ensure proper functioning of Privilege Secure’s Secure Remote Access Portal. If this pertains to your implementation of Secure Remote Access, please refer to the team’s guidance provided below.

Overview

The Secure Remote Access Portal uses fixed API endpoints, dynamically generated front-end asset URLs, and WebSocket Secure (wss://) connections for real-time features. The following WAF rules are required to ensure secure and reliable operation.

API and Authentication Endpoints

Allow the corresponding HTTP methods for these specific routes:

Route Pattern Allowed HTTP Methods
/api/v1/* GET, POST, PUT, DELETE
/signinBody POST
/signin2fa POST
/middlewareHub GET, POST
/images/* GET
/oidcSignin/* GET, PUT
/samlSignin* GET, POST
/samlSigninCallback POST

Portal Front-End Static Asset Routes

The portal’s front-end serves static files from the web root (/). Filenames are minified and versioned per release.

  • Allow all GET requests to file paths under / with typical static file extensions.
    Examples:
    • /main.abc123.js
    • /vendor.456def.chunk.js
    • /logo.789ghi.png
    • /styles.1a2b3c.css
    • /assets/fonts/fa-solid-900.woff2
    • /index.html
  • Do not restrict GET requests by specific filenames, as asset names change each version.

WebSocket Secure (WSS) Endpoints

Certain endpoints use WebSocket connections (wss://) for real-time communication and updates.

  • Allow HTTP GET requests with the Upgrade: websocket and Connection: upgrade headers on the following endpoints:
    • /middlewareHub
  • Required headers:
    • Upgrade
    • Connection
    • Sec-WebSocket-Key, Sec-WebSocket-Version
    • Sec-WebSocket-Protocol
  • Ensure the WAF does not block, disrupt, or filter upgraded WebSocket traffic on these endpoints.

General Policy Statement

The WAF must allow:

  • The specified HTTP methods for all fixed API and authentication endpoints listed above.
  • Unrestricted GET access to asset files under the web root (/), including files with extensions such as .js, .css, .png, .jpg, .svg, .woff2, .ttf, and /index.html.
  • WebSocket (WSS) upgrade requests on designated endpoints (such as /middlewareHub), preserving all necessary WebSocket headers and bidirectional traffic.

POST, PUT, and DELETE methods should be limited only to documented API endpoints.

Example WAF Rule Patterns

  • Allow GET requests (including WebSocket Upgrades) on /middlewareHub.
  • Allow GET for all asset file types under / (such as /*.js, /*.css, /*.png, etc.).
  • Allow only required HTTP methods for API endpoints as enumerated.

- Dan Piazza (Product Owner - Netwrix Privilege Secure)

2 Likes