MFA server behind WAF

Application Performance
1

What is the name of the domain?

montecon.com.uy

What is the issue you’re encountering

We have a MFA server behind the Cloudflare WAF, and when our users requests the token to our local MFA, if the MFA server is behind Cloudflare WAF, the MFA don’t work, but if the MFA server is connected direct to internet, then the MFA works.

2

&&

It sounds like you’re not restoring original visitor IPs on your server.

The MFA server may be strict on the IP address that it sees, and since the traffic goes through Cloudflare, then it will only see the Cloudflare IP address, and therefore the MFA server may not be accepting the situation at hand, as being valid.

So start by setting up the restoring of original visitor IPs on your server.

2 Likes
3

Hello.

I’ve had an open case for almost 3 months (case #01380882 and #01452463). Cloudflare requested this information:

> " You’re experiencing issues with your token server for MFA purposes when it’s behind the Cloudflare proxy. The token system’s TAC team has indicated that Cloudflare is modifying the API key used for exchanging tokens, which is causing the system to stop working. You’ve already submitted a previous request for this issue, which was ticket #01380882.
**> **
> Can you confirm that this summary is correct?
**> **
> Can you please provide more information about the API key that the token system is using, such as its format and how it’s being passed in the requests? Additionally, have you checked the Cloudflare logs to see if there are any errors or modifications being made to the API key?!

But Fortinet says they can’t give me that information. I need to know if it’s possible to create some kind of rule or exception in Cloudflare to specifically bypass connections to the MFA server. Is that possible? Can someone at Cloudflare help us continue with this case?

4

Have you confirmed that you are

You ask if it is

Have you tried it set to :grey: DNS Only?

1 Like
5

Hello.
What we need, is to keep our MFA server behind the Cloudflare WAF (proxied mode), and create some kind of rule to bypass or don’t touch just the token exchange transaction.

6

But you’re still not answering my question, that @epic.network repeated above.

The Cloudflare Proxy is simply passing on the request(s) it is receiving, as a reverse proxy, to your origin.

If your MFA vendor believe the transaction is being altered in flight, please get them to provide meaningful information, that will specify what exactly (they believe) is being altered.

1 Like
7

This topic was automatically closed after 15 days. New replies are no longer allowed.