VMware Workspace ONE Community
btrabue
Enthusiast
Enthusiast
‎06-08-2018 06:10 AM

Adding Web Headers for our SEG servers

Hello -
We have been notified by our security team that we need to add a web header to our SEG server because it resolves to the public Internet.  I was given the following link to test after I had the header added.  Our SEG server is on the public side so that makes sense why it would resolve to the public Internet.  If anyone tests their SEG URL on the link below do you also get a ' F'  rating?  How can this be resolved?  I am not sure how to add a web header to this site.  Thanks
https://securityheaders.com/
Labels (1)
Labels
0 Kudos
10 Replies
msweisberg
Enthusiast
Enthusiast
‎06-08-2018 06:47 AM

How many SEG servers to you have?
0 Kudos
LukeDC
Expert
Expert
‎06-08-2018 06:50 AM

I'd assume they are load balanced, if so, this would preferably be done at that level.
0 Kudos
msweisberg
Enthusiast
Enthusiast
‎06-08-2018 06:52 AM

Luke - that is what I am getting at.  If he has more than 1 SEG, then it should be load balanced behind an f5.  Therefore, the only thing publicly facing would the f5.  That's our setup.
0 Kudos
btrabue
Enthusiast
Enthusiast
‎06-08-2018 06:52 AM

We only have one SEG server. One in test and one for production
0 Kudos
LukeDC
Expert
Expert
‎06-08-2018 06:55 AM

Even if it's one, you can check with your firewall folks and see if they can handle it there. Otherwise you are going to dig into IIS and get it done.
0 Kudos
msweisberg
Enthusiast
Enthusiast
‎06-08-2018 06:56 AM

Public facing aside, you have a single point of failure.  I'd personally add-in a second SEG (even if it is overkill) for redundancy and throw in an f5.  Thus, you have solved the problem.
0 Kudos
snochico1
Enthusiast
Enthusiast
‎07-09-2018 02:23 PM

Hi All,

We have received a similar notification from our security group. 
I believe the headers need to be added to the web.config file in the active EASListener directory.  I have included a snippet of the section below.   Since we have more than a dozen segs through-out the world. Upgrades will be more painful without a global AirWatch setting.  We have opened a ticket with Airwatch but I am not holding my breath.


 
  
   
       
   
  
 
 
0 Kudos
btrabue
Enthusiast
Enthusiast
‎07-09-2018 05:49 PM

The following link helped us a lot.  https://scotthelme.co.uk/hardening-your-http-response-headers
0 Kudos
snochico1
Enthusiast
Enthusiast
‎07-10-2018 12:01 PM

Hi Bryan, 
That link was great.  Thanks for the help.
0 Kudos
snochico1
Enthusiast
Enthusiast
‎07-10-2018 12:04 PM

I used ' High-Tech Bridge ImmuniWeb® WebScan'  to verify prior and post changes. I could not get the securityheaders.io site to load.
https://www.htbridge.com/websec/
0 Kudos