Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Aug 2008
    Posts
    30

    Default WAN Balancer weirdness with Webroot SecureAnywhere

    I've been troubleshooting some weirdness with a Webroot SecureAnywhere deployment at a client. There are a few different symptoms, but the primary one is that Mac installs fail 90+ percent of the time. I also get logged out of the web console continually.

    I watched the sessions in UT for a Mac I was trying to install Webroot on, and noticed that several connections are made to various servers, and with load balancing on, these are spread across our two internet connections, thus originating from two IP addresses. When I force the client to only use one connection, things seem to work fine. This has been highly repeatable.

    Webroot support says "Currently, our security check requires the cookie, IP, and user agent to not change throughout the entire session to avoid session hijacking."

    So, my question is, is there any way for me to ensure that all traffic for Webroot goes out the same interface? They use multiple URLs and servers, including some Amazon AWS to host the service. They've given me a list. I was thinking of trying to use the new Triggers/Tagging feature. Unfortunately Webroot isn't one of the apps represented in the built-in list in Application Control, so I can't use that particular class for the trigger. In addition, I see that I can tag users, devices, and hosts, but not sessions. That might be handy in this case, to be able to group the sessions together as tagged as "webroot".

    I'm just spit-balling here. Does anybody know how I could accomplish this without simply forcing all of my clients out a single internet connection? I'd even be okay with the concept of ensuring that all of the traffic for a given client went out a single connection, i.e. load balancing done across clients, rather than sessions.

    Thoughts?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    Quote Originally Posted by jcharters View Post
    Webroot support says "Currently, our security check requires the cookie, IP, and user agent to not change throughout the entire session to avoid session hijacking."
    Yes, this means they don't support any multi-WAN deployments. Not a rare issues with service providers tbh.

    Yes, I would add a rule to force that client's traffic to a single WAN in WAN Balancer rules.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Aug 2008
    Posts
    30

    Default

    Thanks for the reply. All of the clients at this customer have Webroot installed... so if I am to use WAN balancing at all, I'll have to come up with a way to do this programatically. Can you think of any way that I can balance the traffic on a per-client basis, rather than per session?

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    Manually with wan balancer rules is the only way I can think to accomplish that.
    You could also use rules that only govern the webroot traffic if they can provide the IP & port information. You may be able to figure it out manually by just doing DNS queries or looking at traffic.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Aug 2008
    Posts
    30

    Default

    Okay... that's what I was afraid of. Thanks for the reply though.

    BTW, maybe the option to balance at a client level, instead of session level, might be a useful option with more people using multiple WAN connections, and certainly more using service providers. Just my $0.02, for all it's worth...

    Cheers!

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,668

    Default

    It already does it at the client level. Any connection between A.B.C.D and E.F.G.H will use the same WAN.
    The issue is when their system uses A.B.C.D as the primary key and is communicated between multiple servers on their end assuming its a unique/primary key. It is not. Additionally claiming it is done for security is silly, its just an implementation flaw.

    (Make sure you are on the latest kernel in config > about if you aren't already)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2