Document Approaches to Enabling FluidFramework Enabled Apps to Work in the Corporate Environment

[loaderladdy-work]

Hi, my day job is as a infrastructure architect and one of the issues I have to deal with from time to time is making apps work that use WebSockets, particularly when the corporate environment uses HTTP proxy inspection techniques like SSL Break and Inspect (man-in-the-middle attack) so malicious content can be identified and removed.

If you do not know why proxy based SSL Break and Inspect is an issue for frameworks that make use of WebSockets then it is because SSL Break and Inspect opens up the HTTPS stream that encapsulates the WSS handshake and breaks it. More and more modern proxy servers are building capabilities that create SSL Break and Inspect Bypass solutions, but these rely on being able to isolate the HTTPS stream that contains the WSS handshake so that the rest of the content can continue to be inspected while allowing WSS to work. I'll mention that some proxy WSS handling techniques are not perfect and where a corporate entity has a need to business need to access a WebSockets enabled app then other workarounds are looked in to.

An alternative workaround is to use a Proxy Auto-Config (PAC) file rule to route WSS FQDNs direct in which case the corporate firewall needs to be able to build rules that match FQDNs to IP addresses. You would think this would be easy, but in a world where cloud services, particularly in the SaaS space, that try and adhere to Cloud Application Good Practice Design Principles, which means that applications need to take account of the changing Cloud hosting platform where URLs and IP Addresses can frequently change, is not easy, in fact it is very hard.

Proxy and Firewall vendors build capabilities like Internet Services Data Bases in to their products and populate these with the IP Addresses of services that take account of those frequent changes in the URL and IP address space. A great example of how this works in practice is from the Microsoft Office 365 Product Team who have built the Office 365 IP Addresses and URLs web service https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide and O365 Product Group push updates in to this web service. Corporates and Product Vendors can capture the feeds from the web service and update their product accordingly. This works great for Microsoft Teams for instance.

I think it would be great if the project could consider these issues in the round and develop documentation that helps corporate admins better understand the challenges Fluid enabled apps will present them with.

many thanks, Pete