This is a migrated thread and some comments may be shown as answers.

Best practices as a proxy for a legacy app

4 Answers 62 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
David
Top achievements
Rank 1
David asked on 15 May 2020, 09:28 PM

Hey all

I am new to Fiddler, but we are in a position where our current ERP (Dynamics AX 2009) is too old and does not support TLS1.2 (its built on .Net 3.5), therefore pretty much all REST calls do not function. Fiddler came up as an option to be able to override SSL protocols to TLS1.2--which in my proof of concept (installed locally to dev box) is working fine.

However I am a bit confused on how I can actually implement this in a "production-ready" manner as all the calls will come from individual client machines on our network running the AX thick-client (its a standard client/server architecture), so I would need to put this in place somehow to target/override/log only REST calls from this application to specifics hosts (I have this working via FiddlerScript) for any calls coming from our internal network. We would need all other traffic to not be impacted.

I'd prefer not to install Fiddler on every client machine, so does it make sense to stand it up as a proxy server between clients and firewall? Is there a better way?

Thanks

4 Answers, 1 is accepted

Sort by
0
Eric R | Senior Technical Support Engineer
Telerik team
answered on 19 May 2020, 07:06 PM

Hi David,

I believe this is referring to the Fiddler Modern TLS workaround where Fiddler works because by default it only uses TLS 1.0 and SSL 3.0 to talk to servers.

If that is the case then it may be possible to use use Fiddler on the Web Server and in the OnBeforeRequest event upgrade to TLS1.1+. For examples, see the Old Software that requires TLS 1.0 and the IIS SEO Toolkit Not Crawling Sites w/TLS1.0 threads.

The code in the OnBeforeRequest would look like the following.

if (oSession.HTTPMethodIs("CONNECT") && oSession.HostnameIs("www.yourdomain.com")) { 
    oSession["x-OverrideSslProtocols"] = " ssl3;tls1.0;tls1.1;tls1.2";
}

It may require configuring Fiddler as the Reverse Proxy as well.

Additionally, I recommend trying this on a development machine before moving it in production as it may require changing the port configuration.

Please give this a try and let me know the results. Thank you and I look forward to your reply.

Regards,


Eric R | Senior Technical Support Engineer
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
David
Top achievements
Rank 1
answered on 19 May 2020, 07:31 PM

Hey Eric- appreciate the reply!

Currently I have the actual proof of concept working on my devbox with the following script:

if (oSession.HostnameIs("mydomain.com") && oSession.LocalProcess.Contains("ax32")){
             
            oSession["x-OverrideSslProtocols"] = "tls1.2";
        }

This way it only works with calls from the application.

However the rest of your reply is either over my head or maybe I miscommunicated. Dynamics AX runs as a on-prem server application instance (not a website) that has thick-client software installed on all user machines to access the system. All REST calls from this application would come from the individual clients (not server-side code) that are kicking off those operations.

Specifically in this case, we have a small ecomm site (LEMP-based) that I want to write back shipping and fulfillment data. So I am sending a POST from my client to the site, which does not work unless I have Fiddler running (with the script above) on the same machine I make the request on to override the old SSL protocol.

From this proof, I am trying to extrapolate how this would be implemented in a production scenario. For example, I don't want to have to install Fiddler on each client as that would be a mgmt nightmare. Does this help?

Thanks

 

 

 

 

0
Eric R | Senior Technical Support Engineer
Telerik team
answered on 19 May 2020, 07:57 PM

Hi David,

Thank you for providing the additional information. Although, I am still not sure I understand completely. 

Let me try and rephrase it from my understanding. Dynamix runs on a server and each thick-client is installed on client machines. The goal is to allow the Dynamix thick-client make a POST request to the LEMP-based server through the Dynamix server?

If this is the case and if all requests go from the client application to Dynamix to the LEMP server then it might work by installing Fiddler on the Dynamix server and using the same FiddlerScript implementation.

Unfortunately, if Dynamix is installed on a Windows Server version prior to 2008 R2 this would not work as it does not support the modern protocols.

Please let me know if that helps clarify or if I am missing something. Thank you and I look forward to your reply.

Regards,


Eric R | Senior Technical Support Engineer
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
0
David
Top achievements
Rank 1
answered on 19 May 2020, 08:42 PM

Sorry I think I may have distracted you by mentioning the Dynamics server, purely for base architecture understanding, but all the REST calls actually run on the client-side so the calls themselves will come from individual PCs-- this is the challenge as its more distributed than all calls originating from a single server.

Thanks again

Tags
Fiddler Classic
Asked by
David
Top achievements
Rank 1
Answers by
Eric R | Senior Technical Support Engineer
Telerik team
David
Top achievements
Rank 1
Share this question
or