Zapp and portt 8080 bypass


(Keith) #1

I have a customer who is attempting to bypass port 8080 traffic for a specific site by the zapp pac file. The policy defined in the admin portal says that only traffic cannot be allowed to be tunnels on non standard ports. They obviously seem to conflict with each other. So, should it be possible to bypass port 8080 in the pac since it would seem that happens before zapp does anything?


(David Creedy) #2

If it was tunnel with local proxy mode and you specified this in the forward profile PAC to go direct, I don’t see why this wouldn’t work. The traffic would be directed away from Z App before it can process it.

You could test this in a lab easily if you have a site that is open on 80 and 443, you can send one bypassed and one not, this should prove the concept.


(Keith) #3

It is TWLP, sorry I left that out. I think the conflict with your idea is that both of those are “standard ports” I need to spin up an Apache server or something to have a listener on 8080. I think that non standard bit is the issue. I tested the syntax of the pac file, and the bypass to 8080 does match to go direct, but still fails.


(Rajeshkumar Chemalli) #4

David’s logic did work at one of my customer’s environment. Could you please share the function you used in the PAC file to see if any is missing?

Also did u try adding the host name/Fqdn under the VPN bypass in the app profile?

-RaJeshkumar Chemalli
7506045810
(Please excuse typos)


(Nael Hussein (OBS)) #5

Try performing the test using this url: http://portquiz.net
PortQuiz listens to mainly all ports.

I am excited to see the results of your test, keep us posted.

Nael
OBS


(Thomas Quinlan) #6

You can use PortQuiz as @Nael mentioned, or you can use netcat to listen on a particular port.

“netcat -l 8080” (lowercase “L” there) will open a TCP listening port on 8080.


(Keith) #7

Update. So funny… I literally stumbled onto portquiz and used that to test with since I needed an outside IP. I did recreate this in my lab and passed the results on proving it works. I showed him netstat connections active to proxy and direct. So, I think he might be sending his data down a GRE tunnel he is not aware of.

I used this one exactly
/* Allow port 8080 /
if ( shExpMatch(url, "
:8080/*") ) { return “DIRECT”; }
return “PROXY proxy:port”;

image
Thank you all for responding.


(Keith) #8

Additionally, I found this in my ZAPP logs that further confirmed it
2018-01-10 18:33:44.942628 #NORMAL #DEBUG : ID=751204500, Connecting direct to 178.33.250.62:8080