That's how I've felt dealing with a few applications this last week.
We had an issue sent to us recently asking about a stock trading app a department in our company uses. Apparently it was hanging when the user tried to log in. When I asked if the app was proxy aware, tech support said it was and they'd configured it properly. It worked until recently. And sure enough, there was traffic over the proxy.
Our proxy is not inline, so the next logical place to check is firewall to see if we're handling traffic to this site odd anywhere else. Sure enough, there was a firewall rule to allow traffic directly out the firewall to a range of IP's this trading company owns. As with most applications, the company's documentation claims it requires port 4000 open to all IPs. Obviously that is a much broader rule than could be necessary. Like most places, we prefer to keep our firewall rules as narrow as possible.
So I got an IP dump from the user and did some searching. Turns out there was traffic going to a new address over port 4000 we hadn't seen this app access before. Apparently the vendor added an update server and because they tell you to open port 4000 to the entire internet, they never imagined there would be an issue.
The application is proxy aware for it's main operation (stock trading) but when it checks it's auto update server, it is not proxy aware. It has short term memory loss when it comes to proxy awareness.
Two complains here:
- It should never be necessary to open traffic to the entire internet from a single app. A company can only own so many IPs, and those should be spelled out so that we can keep the firewall as narrow as possible
- I realize that proxy servers should be inline at this point, but a number of enterprises still use explicit proxy's. If your app is aware of the proxy for it's main operation, it should also be aware of it when the app is updating.