Sitecore Managed Cloud customers who want to protect their Sitecore application from common web vulnerabilities and attacks can raise a Setup Azure Application Gateway (AG) with Web Application Firewall (WAF) enabled Service Request. This article outlines what Managed Cloud customers need to know about the technical implementation of Azure Application Gateway (AG) and Web Application Firewall (WAF).
For more details on the Azure AG and WAF products and how they work to secure a Sitecore Content Delivery (CD) server, refer here.
The following items MUST be included in the Service Request raised to the Managed Cloud support:
- The PFX certificate that corresponds to the Sitecore CD web app public DNS name.
- The certificate password.
Azure AG with WAF enabled is only applicable for Sitecore CD web app and is not compatible with Content Management (CM) servers. For further information see here.
The following notes describe the timeframe and the overall process followed by the Sitecore Managed Cloud team in completing this Service Request:
- The AG + WAF enabled deployment takes about an hour. During this time, IP restrictions are configured on the Sitecore CD web app in Azure, so the CD will become unavailable by means of the direct endpoint such as the *.azurewebsites.net URL. Access becomes available only through a Public IP address.
Customers can choose to opt out of the IP restriction by selecting Do not apply CD IP Restriction Configuration in the Service Request. This is exceptionally important if the site is live, and there is ongoing traffic.
- Immediately after the WAF service has been deployed, the customer must configure their DNS server to create the required records. DNS records on NS servers might take up to 72 hours to fully update, so the final configuration might require up to 3 days.
- The Managed Cloud support will coordinate a time window with the customer for the WAF deployment. The best practice is to set up the AG + WAF enabled well before an environment goes live to reduce the risk of downtime or the impact of any unforeseen complications. The Managed Cloud support requests 2 business days' notice to schedule the maintenance window.
The following are the changes and additional resources:
- Additional resources:
- Configuration changes:
- Public IP is added to CD app service IP restriction.
- CD pingwebtest URL changed to AG public DNS.
- AG basic HTTP and HTTPS listeners, ruleset, backend setting, and diagnostic logging.
- WAF prevention mode, OWASP 3.2 managed rule, and Bot manager rule set.
- Next, you must set up the redirect from your Sitecore CD DNS https://{your.domain.here.com}
to XXX.XXX.XXX.XXX to finish the installation.
- After ensuring AG + WAF works as expected and DNS updates have been completed, IP restrictions on CD Web App can be applied to ensure traffic-only routes through the Application Gateway.
The Sitecore Managed Cloud team provides Limited Support for Managed Cloud Standard customers using the Azure AG + WAF enabled product with their Sitecore implementation. This Limited Support scope includes the Azure WAF component with Azure Application Gateway
|
|
Sitecore
|
Customer
|
|
Initial AG + WAF setup and integration with Sitecore CD role in standard Sitecore topologies.
|
R, A
|
C, I
|
|
Configure basic HTTP and HTTPS Listeners on initial setup.
|
R, A
|
C, I
|
|
Configure AG + WAF diagnostic setting to OMS.
|
R, A
|
C, I
|
|
Configure Prevention mode for the WAF on initial setup.
|
R, A
|
C, I
|
|
Configure default WAF settings such as rulesets, and policies on the initial setup.
|
R, A
|
C, I
|
|
Update Sitecore CD availability test to AG.
|
R, A
|
C, I
|
|
Troubleshooting Sitecore application challenges related to WAF.
|
R, A
|
C, I
|
|
|
Sitecore
|
Customer
|
|
Decide if WAF should be in Detection or Prevention mode based on the evaluation of AG logging and validation of all Sitecore CD functionality.
|
C, I
|
R, A
|
|
Troubleshooting Sitecore application challenges related to WAF [2].
|
C, I
|
R, A
|
|
Customize appropriate AG settings such as listeners, backed configurations.
|
C, I
|
R, A
|
|
DNS changes necessary to redirect from your Azure Sitecore CD to the new Public IP.
|
C, I
|
R, A
|
|
Adjust AG scale units according to capacity and needs.
|
C, I
|
R, A
|
|
Assistance with production incidents related to WAF [3].
|
C, I
|
R, A
|
|
Update Application Gateway certificate.
|
C, I
|
R, A
|
Legend:
- R – responsible
- A – accountable
- C – consultant
- I - Informed
- [1] WAF policy is included during the latest initial setup starting from October 2022. The older setup does not include this. A customer can raise a support ticket for migrating to the WAF policy if necessary.
- [2] In Managed Cloud, the customer is responsible for how the Sitecore application functions, and adding a WAF can impact a customer's implementation. It is the customer's responsibility to troubleshoot such challenges. The Sitecore Managed Cloud support is available to assist and might be able to help identify problem areas, but ultimately this lies with customers who have full access to their implementation source code and full context on how their Sitecore CD role operates.
- [3] The monitoring and evaluation of potential WAF security incidents are the responsibility of the customer. Sitecore recommends that the customer engages with security professionals with the understanding of their business and security protocols to interpret such events. The Sitecore Managed Cloud support is available to assist and might be in a position to contribute to resolutions, by leveraging our relationship with Microsoft. The primary responsibility, however, lies with the customer.