Introduction

Sitecore Managed Cloud customers who want to protect their Sitecore XP application from common web vulnerabilities and attacks can create a Setup Web Application Firewall (WAF) Service Request. This article outlines what Managed Cloud customers need to know about the technical implementation of the WAF.

For more details on the Azure Application Gateway and WAF products and how they work to secure a Sitecore Content Delivery server, see these details.

Prerequisites

Once the Service Request is made to the Managed Cloud team, the following items must be provided. These can be included in the Service Request form or the engineer completing the setup will request them from the customer:

• The PFX certificate that corresponds to the Sitecore CD web app public DNS name.
• The certificate password.

Deployment And Timing

The following notes outline timing and the overall process followed by the Sitecore Managed Cloud team in completing this Service Request:

1. The WAF deployment takes about an hour. During this time, IP restrictions will be configured on the Sitecore Content Delivery web app in Azure, so the CD will become unavailable using the direct endpoint such as the *.azurewebsites.net URL. Access becomes available only via Public IP address.
   
   We may turn off the IP restrictions after the deployment so the CD web app can be available as before. Customers that require this must request it in the Service Request.
2. Right after the WAF service has been deployed, the customer must configure their DNS server to create the needed records. DNS records on NS-servers may take up to 72 hours to fully update, so the final configuration might require up to 3 days.
3. The Managed Cloud team will coordinate a time window with the customer for the WAF deployment. Best practice is to set up the WAF well before an environment goes live to reduce the risk of downtime or the impact of any unforeseen complications. The Managed Cloud team requests 48 hours notice to schedule the maintenance window.
   
   For sites that are already “live,” the Managed Cloud team can NOT apply the usual IP restrictions on the Sitecore CD web app so the site remains available 100% through this process. At a later time, after WAF testing and customer DNS updates have been completed to the customer's satisfaction, the IP restrictions can be enabled to block direct access to the Sitecore CD web app.

WAF Next Steps

After the WAF has been configured by the Managed Cloud team, the following details will be provided to the customer in the Service Request ticket:

• The WAF deployment is finished.
• All of your resources are now located in the mc-{your-identifier-here}-virtualNetwork virtual network.
  
• Please note that your Sitecore CD web app is only available now by Public IP (PIP) address: XXX.XXX.XXX.XXX.
• The PIP is associated with mc-{your-identifier-here}-applicationGateway-waf application gateway.
• Next, you should set up the redirect from your Sitecore CD DNS https://{your.domain.here.com} to XXX.XXX.XXX.XXX to finish the installation.

Scope Of Support

The Sitecore Managed Cloud team provides Limited Support for Managed Cloud Standard customers using the Azure WAF product with their Sitecore implementation. This Limited Support scope includes the Azure WAF component with either Azure Application Gateway or Azure Front Door:

 

Activity	Supported	Not Supported, Customer Responsibility
Initial WAF setup and integration with Sitecore CD role in standard Sitecore topologies.	✓
Configure HTTP and HTTPS Listeners	✓
Configure WAF logging to App Insights	✓
Configure Azure App Insights Dashboard to visualize basic WAF metrics on customer request	✓
Configure Detection or Prevention mode for the WAF	✓
Decide if WAF should be in Detection or Prevention mode based on evaluation of WAF logging and validation of all Sitecore CD functionality		✓
Troubleshooting Sitecore application challenges related to WAF [1]		✓
Manage WAF settings such as rulesets, policies, and listeners in addition to HTTP/HTTPS	✓
Decide on appropriate WAF settings such as rulesets, policies, and listeners for their implementation		✓
Adjust WAF scale units according to capacity and needs		✓
DNS changes necessary to redirect from your Azure Sitecore CD to the new Public IP		✓
Update WAF ping tests after DNS changes have propagated	✓
Assistance with production incidents related to WAF [2]		✓
Provide PFX certificates for Sitecore CD role		✓
Update WAF certificate changes	✓

[1] In MCS, the customer is responsible for how the Sitecore application functions, and adding a WAF can impact a customer's implementation. It is the customer's responsibility to troubleshoot such challenges. The Sitecore MCS team is available to assist and may be able to help identify problem areas, but ultimately this lies with customers who have full access to their implementation source code and full context on how their Sitecore CD role operates. 

[2] The monitoring and evaluation of potential WAF security incidents are the responsibility of the customer. Sitecore recommends that the customer engages with security professionals with the understanding of their business and security protocols to interpret such events. The Sitecore MCS team is available to assist and may, by leveraging our relationship with Microsoft, be in a position to contribute to resolutions. The primary responsibility, however, lies with the customer.