NAM Access Gateway Rewriter URL-Encodes / corrupts HTTP Referer header while forwarding a request to a protected web server

  • 7021103
  • 18-Jul-2017
  • 30-Aug-2017

Environment

  • NetIQ Access Manager 4.3.2
  • NetIQ Access Manager 4.3.2 Access Gateway Service
  • NetIQ Access Manager 4.3.2 Access Gateway Appliance
  • NetIQ Access Manager 4.3.2 Access Manager Appliance

Situation

  • After upgrading the Access Gateway with NAM Service Pack 4.3.2 back-end web application server making use of the HTTP Referer Header fail

  • The Access Gateway Rewriter process URL-Encodes the HTTP Referer Header and appends a "#15"

    Example:
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq [192.168.0.5:40795->192.168.0.200:443] GET /nw65/icons/blank.gif
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Host: nam.kgast.local
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Accept: */*
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Accept-Language: en-US,de;q=0.5
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Accept-Encoding: gzip, deflate, br
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Referer: https://nam.kgast.local/nw65/
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Cookie: ZNPCQ003-33333800=236f2144
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Connection: keep-alive
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Pragma: no-cache
    Jul  6 15:07:40 nam httpd[25657]: ID:23:1800:creq Cache-Control: no-cache
    
    -----------------------------------------------------------
    
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws [192.168.0.200:43431->147.2.91.248:80] GET /icons/blank.gif HTTP/1.1#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Host: nam.kgast.local#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Accept: */*#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Accept-Language: en-US,de;q=0.5#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Accept-Encoding: gzip, br#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Referer: https%3a//nam.kgast.local/nw/#015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Cookie: #015
    Jul  6 15:07:41 nam httpd[25657]: ID:23:1800:to-ws Pragma: no-cache#015
    

Resolution

Fixed in NAM 4.4 and planned for NAM 4.3.3.