DownloadGet a QuoteConnect with Us

3.1.1.1.a WAF Configuration

When deploying Thinfinity® Workspace behind a WAF (Web Application Firewall), the primary goal is to configure secure ingress traffic over HTTPS and WSS (WebSocket Secure) protocols while preserving the integrity of WebSocket upgrade requests essential for platform operation.

To establish a stable and secure WAF policy:

Deploy Gradually with Learning Mode

  • Start in Learning Mode: Begin in observability-only mode to capture logs, validate handshake flows, and tune false positives without impacting production traffic.

  • Gradual Enforcement: Once stability is confirmed, progressively enable the core rule set for Thinfinity Workspace endpoints.

Configure Transport Layer Security

  • Enforce HTTPS/WSS: Block all insecure HTTP connections.

  • TLS Policy: Support TLS 1.2 and TLS 1.3 only; disable legacy protocols.

  • Certificates: Maintain valid, up-to-date SSL/TLS certificates.

  • End-to-End Encryption: Preserve TLS termination from client → WAF and WAF → Thinfinity Gateway.

Enable WebSocket Protocol Support

  • Upgrade Support: Allow Connection: upgrade and Upgrade: websocket requests for Thinfinity paths (e.g., /thinfinity/*).

  • Protocol Compliance: Ensure HTTP/1.1 upgrade flows are supported.

  • Inspection Policy: Do not perform payload inspection inside encrypted WebSocket tunnels; instead, enforce rate and connection limits.

Configure WAF Rules & Exceptions

  • Handshake Allow list: Permit 101 Switching Protocols responses and related headers.

  • Scoped Bypass: Exempt only the upgrade endpoints from deep inspection—do not apply a global bypass.

  • Rule Set Enforcement: Apply the full WAF rules to all other HTTP(S) traffic.

Optimize Connection Performance

  • Persistent Sessions: Keep WebSocket connections alive for long-running sessions.

  • Timeouts: Configure generous idle/read timeouts (30–60 minutes) and ~300s for long-polling fallbacks.

  • Rate Limiting: Apply per-user/IP session limits and restrict new connection rates to mitigate abuse.

Implement Access Controls

  • Origin Validation: Validate the Origin header to ensure requests originate from trusted Thinfinity Workspace homepage.

  • Authentication Flows: Exclude identity endpoints (e.g., /saml/*, /oauth2/*) from bot/CAPTCHA challenges to avoid breaking IdP integrations.

Establish Monitoring and Logging

  • Handshake Logging: Record upgrade attempts, successes (101 Switching Protocols), and failures.

  • Metrics Tracking: Monitor session counts, duration, handshake success, and error types.

  • Error Classification: Maintain clear categories for TLS errors, WAF blocks, timeouts, and upstream resets.

Verify Protocol Compatibility

  • TLS 1.3 Readiness: Confirm the WAF supports WebSockets over TLS 1.3; allow TLS 1.2 fallback only if required.

  • HTTP Versions: Pin WebSocket routes to HTTP/1.1 unless full HTTP/2 upgrade support is validated.

Maintain Through Ongoing Operations

  • Canary Testing: Apply new rules to a limited subset of users before global rollout.

  • Rollback Plan: Keep a rapid fallback mechanism to a last-known-good configuration.

Summary

Deploy a WAF upstream of the Thinfinity Gateway to facilitate WSS upgrade requests while minimizing inspection interference during active tunnel sessions. Start in Learning Mode to establish baseline parameters, then enforce TLS protocols, validate handshake integrity, and implement rate limiting policies.

During active sessions, bypass in-depth inspection of encrypted WebSocket frames to maintain system stability and optimize performance.

Previous3.1.1.1 Edge Layer — Perimeter Security and Load BalancingNext3.1.1.1.b Firewall

Last updated

Was this helpful?