Jump to content
Welcome to our new Citrix community!
  • 0

WAF and Websockets


So, I have set up a gateway vserver for integration with citrix MDM (XenMobile) and it is being protected by WAF policies.

Mobile device's users utilize SecureHub to access internal and external websites. There's a website failing because it uses websockets.


I know that I can enable Websockets on an HTTP profile and bind it to the gateway vserver, however I am worried about the security implications of doing so due to the note in the GUI saying: "If enabled, once a connection is upgraded to wss, Citrix ADC does not process layer 7 traffic on that connection". So my concern is: does that mean that WAF policies won't be enforced? Will all the traffic bypass the waf?

Is there any WAF featuree desinged specifically for webosockets security?


Link to comment

5 answers to this question

Recommended Posts

  • 0

I don't know you application. Usually, there is nothing like 5 packets HTTP, 3 packets WebSockets, 3 packets HTTP, 10 packets WebSockets, ... Instead, applications work with HTTP, but, at a certain point, switch to WebSockets.


No matter, how your application works: If you allow WebSockets, it will check all HTTP traffic, but let WebSocket traffic pass through without inspecting, as it's not HTTP. No WAF, no matter, which vendor, will inspect WebSockets, simply, as it's not HTTP and does not follow HTTP standards. It's binary data. The only thing, a WAF can do, is check, if it is websockets, as a client has to request WebSockets by using certain headers:

Upgrade: websocket

Connection: Upgrade

Sec-WebSocket-Key: asdgsdfgsfdfdhdfghj==

Origin: https://abc.de

Sec-WebSocket-Protocol: chat, superchat

Sec-WebSocket-Version: ..


The server will reply with something like that:

HTTP/2.0 101 Switching Protocols

Upgrade: websocket

Connection: Upgrade

Sec-WebSocket-Accept: HzslP6dgtkur+xOo=

Sec-WebSocket-Protocol: superchat


You see, the client has to request, the server has to agree. It's WebSocket if these 2 packets are seen. That's what the WAF will check for. If they miss (because it's a tampered stream) the WAF will drop packets. I would not consider this to be big risk. Plus, if subsequent packages contain HTML, they will be treated as HTML.




Johannes Norz





  • Like 1
Link to comment
  • 0

The use case is: user's have mobile devices controlled by XenMobile and the connections are established via a Citrix Gateway vserver. From this devices, using SecureHub they access several websites, some internal and some external, but only one of those websites uses websockets. So from the gateway point of view, a single user connection may tunnel http and wss requests at the same time.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...