This issue may be limited by constraining the web servers for which the PCS device rewrites content.
On the PCS device, constraining the web servers for content rewriting may be accomplished in any of the following ways:1. "Web ACL" policies
2. "Selective Rewriting" policies
"Web ACL" policies may be used to allow access through the PCS device to a constrained set of resources. Other sites will not be accessible through the PCS device.
3. Use other access methods
Enumerate the company-owned resources that are to be rewritten in "Selective Rewriting" policies. All other resources will not be rewritten; the browser will access other content directly, maintaining isolation between company-owned resources and the Internet.
Note: If "Selective Rewriting" policies are not visible in the administrator UI, use the "Customize" button on a resource policy page to enable display of "Selective Rewriting" policies.
4. Use "Passthrough Proxy" policies
The JSAM, WSAM, and Network Connect access methods are not vulnerable to the exploits described in VU#261869. For users that use these access methods, the content rewriter may be completely disabled by turning off the "Web" role option on all roles used by such users.
5. Disable roaming session
Enumerate the company-owned servers that are to be accessed through the PCS device. For each server, do the following:
- Create a "Passthrough Proxy" policy. Choose the "Use virtual hostname" option and DO NOT check "Rewrite XML" or "Rewrite external links".
- Configure the external-facing DNS resolution to resolve the server hostname to an IP address on the SSL-VPN device
When "Passthrough Proxy" is configured in this way, isolation is maintained between company-owned servers and Internet servers.
Disabling of roaming session may be used to prevent stolen cookies from being used to completely hijack a user's session.
To disable roaming session, configure each user role under "Session Options". Choose "Disabled (maximize security)" in the "Roaming session" section.
Note: Even with roaming session disabled, an attacker may be able to exploit the vulnerability through the user's browser.