Static IP addresses for hosted site

  • 2
  • Question
  • Updated 3 years ago
  • Answered
Would be nice if Replicon used a static list of IP addresses for the hosting site.  This would aid admins in creating packet filter firewall rules instead of proxy rules.  This would aid in increasing site speed and eliminating issues that firewall proxies sometimes create.
Photo of Network Administrator

Network Administrator

  • 89 Posts
  • 16 Reply Likes

Posted 3 years ago

  • 2
Photo of Lingaraj Dharwad

Lingaraj Dharwad, Product Champion

  • 1100 Posts
  • 46 Reply Likes
Hi,

Thank you for using Replicon Community,

We are looking into this idea.

Regards,

Lingaraj
Photo of Kashyap Gogoi

Kashyap Gogoi, Tier 3 Cloud Operations Manager

  • 3 Posts
  • 0 Reply Likes
Hi,

Thank you for feedback on use of Static IP.

Replicon has customers spread all over the world. We also cater to some companies who have branch offices or field employees in various geographic locations. To ensure that all our users receive the same speed while accessing the application we use the services of a company named Akamai for web acceleration. By the use of Akamai we are able to deliver local server like experience to all users. To facilitate this service Akamai uses a wide range on servers located in every country of the world and hence the range of IP Addresses through which we serve the content is also from various subnets. Due to this reason we cannot provide a static or range of static IP Addresses.

Having said that we can suggest solutions via which you can white-list the Replicon traffic on your Firewall/Proxy Server. Please let us know the make and model of the Firewall/Proxy you use on your organization so that I can suggest you about the possible workarounds. If you are not comfortable sharing this information on this forum we suggest that you email us this information at - support@replicon.com.

If you are using a Cisco ASA, you can refer to this link on tips from Cisco for handling data routed on Akamai -https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-... 

Regards,

Kashyap Gogoi
Subject Matter Expert - Replicon Support
Photo of Network Administrator

Network Administrator

  • 89 Posts
  • 16 Reply Likes

Thanks.  I actually knew that before I asked.  Can you elaborate on the below info provided in your Cisco help doc?


Multiple hostnames resolve to the same IP address

If two hostnames resolve to the same IP address, the ASA cannot distinguish between the two, since it is essentially blocking or permitting the traffic based on the destination IP address in the packet. Many popular webpages have moved away from hosting thier own content to using content delivery networks like Akamai, Amazon CWS. This means that come FQDN's may resolve to IP addresses used by these content hosting providers and they may host multiple sites worth of content on the same IP. This is also seen with Webhosting companies like GoDaddy, Network Solutions, etc. These providers may use one signle IP to host hundred of websites. The content served to you web-browser is determined based on the URL accessed (and the Host: field in the HTTP request). Let take a simple example of 'URL FIltering' and see how it can go awry. Here is the simplified config:

 

 

object network obj-superbadwebsite.com

   fqdn superbadwebsite.com

!

access-list inside_in deny ip any object obj-superbadwebsite.com

access-list inside_in permit ip any any

 

Now lets say that superbadwebsite.com is hosted by HostingCo which also hosts benign websites like catsinsinks.com (benign all-beit a time waster). HostingCo uses webservers at 64.102.67.9 an 64.102.67.10 so now our ACL looks like:

 

 
 

access-list inside_in line 1 deny ip any object obj-superbadwebsite.com 

  access-list inside_in line 1 deny ip any fqdn superbadwebsite.com (resolved) 

  access-list inside_in line 1 deny ip any host 64.102.67.10 (superbadwebsite.com)(hitcnt=5) 

  access-list inside_in line 1 deny ip any host 64.102.67.9 (superbadwebsite.com)(hitcnt=120) 

access-list inside_in line 2 permit ip any any (hitcnt=4423) 

 

If someone in your network wants to browse the site http://catsinsinks.com they will not be able to. This is becuase catsinsinks.com will resolve to either of the IP's that HostingCo uses, both of which are blocked bcause they were the A-Records returned when we resolved superbadwebsite.com. This issue can be summed up in the follow way:

 

FQDN functionality in ACLs is not a replacement for HTTP Filtering. It cannot distinguish what content is being sent.

Photo of Kashyap Gogoi

Kashyap Gogoi, Tier 3 Cloud Operations Manager

  • 3 Posts
  • 0 Reply Likes
Hi,

Thank you for you question. I would suggest that you contact Cisco Forum for detailed description on the steps mentioned to configure FQDN based ACLs. In a nut-shell, if you are using the services of a Web Accelerator (like Akamai) the same FQDN will be hosted from multiple IP Addresses and to ensure that you have an effective way of identifying the interested traffic on a ASA you can run the FQDN based ACLs configuration and then decide if you want to allow/block/inspect such traffic. Again, since this configuration will change from device to device and version to version of their operating system & hence we strongly recommend that you contact your security appliance vendor for more suggestion. If during your conversation with your vendor you need any Replicon specific information, please contact us at: support@replicon.com

Recently we have made some changes to our infrastructure after which you will be able to bypass Akamai and connect to our data center's public IP directly. This will mean that users will not be able to benefit on the high content delivery speeds we provide via Akamai's network but now the Network Administrator can easily identify the interested traffic. If you decide to not benefit from our content delivery partner's services then please follow one of the below steps to connect directly to our data center:-

1. On your internal DNS Server create 2 entries:
2. If you don't have a DNS Server then you can put these entries on the HOSTS File on all the user's computers. 

Once this is done you can create a IP Address based ACL without bothering much about the FQDN. 

Regards,

Kashyap Gogoi
Subject Matter Expert - Replicon Support
(Edited)
Photo of Network Administrator

Network Administrator

  • 89 Posts
  • 16 Reply Likes
Thanks for the info.  I just tried your above configuration, and it did not work properly.  We are using SAML authentication, maybe something else is needed on your end?  The page in IE would partially load, but was in no way usable.  I verified all settings and dns resolving and had only packet filtering running on our WatchGuard firewall config.  Any ideas?
Photo of Kashyap Gogoi

Kashyap Gogoi, Tier 3 Cloud Operations Manager

  • 3 Posts
  • 0 Reply Likes
Hi,

I just tested the same configuration on my server with IE 9 and it works fine. The page loads fine and all the tabs/sections are working as well. Could you please contact our Support Team so that we can take a look into the issue you have reported? 

Regards,

Kashyap Gogoi
Subject Matter Expert - Replicon Support