For LemonadeLXP to work properly, it's important to ensure that it is served just as we intended. Security appliances, sandboxing environments, web proxies and local "scan-and-serve" AV-appliances can quickly wreak havoc.
Important Point: By "scan-and-serve", we are speaking to proxied scanning of communications on port 443. Some security appliances will locally decrypt payloads and responses before the data is exchanged with an endpoint. The scanning itself isn't the problem; the proxying is. The typical failure is a CORS failure when these requirements are not met.
Critical Bypass Settings
First, whitelist your LemonadeLXP instance's primary domain. If you have Digital Academy, whitelist that domain as well.
Once that's done, you will also need to ensure that resources from the following domains are bypassed on your SSL scanning appliances, without which, the platform may not be operable:
lemonade-user-data.s3.amazonaws.com
lemonade-cdn.s3.amazonaws.com
lemonade-scorm-drop.s3.amazonaws.com
lemonade-attachment-drop.s3.amazonaws.com
lemonade-transcoder-drop.s3.amazonaws.com
content.lemonadelxp.com
amazonaws.com
Secondary Features
googleapis.com, required for use with StepYoutube (without which, YouTube integrations are likely to break)
gstatic.com, required for Google's reCaptcha which is used on registration (not SAML) and within anti-cheat controls on StepVideo
intercomcdn.com, whose client API is used by your learners and administrators to connect with our support staff.
intercom.io, whose websockets are used for live connections between the Intercom platform, and your users.
apis.google.com, required for Google SSO
Internal DNS Requirements
If you are fenced inside internal DNS, make sure that Cloudflare DNS queries are whitelisted at your internal firewall.
As example, if your assigned NS addresses are josh.ns.cloudflare.com and sue.ns.cloudflare.com - you would want to ensure that the firewall is not:
blocking name resolution for josh.ns.cloudflare.com
blocking name resolution for sue.ns.cloudflare.com
blocking josh.ns.cloudflare.com on port 53, TCP
blocking josh.ns.cloudflare.com on port 53, UDP
blocking sue.ns.cloudflare.com on port 53, TCP
blocking sue.ns.cloudflare.com on port 53, UDP
No Double Proxies
We host everything through Cloudflare. Putting a second reverse-proxy in front of Cloudflare can cause a multitude of issues. If you are using an internal proxy or caching system on your internal network, be sure to add your LemonadeLXP domain to its bypass list so that there is only one reverse proxy in the chain (Cloudflare).
⚠️VPN Tunnels and or Networks with Single Egress
If you are using a VPN appliance or tunneling strategy that has all of your organization's traffic coming from select static IP addresses, let us know and we can configure that into the firewall for you. This is markedly important if your fixed IPs belong to ASNs that are on our threat radar.
Example SSL-Scanning Bypass, Sophos XG
At LemonadeLXP, we use a Sophos XG appliance to scan all web traffic. The toggle in a firewall rule that enables SSL scanning on this appliance looks like so, "Decrypt & scan HTTPS"
The XG is a pretty good appliance. It scans HTTP packets in realtime without proxy. In this article's scope, only "Decrypt & scan HTTPS" is topical because of this detail.
Without adding a bypass, it was our experience that using LemonadeLXP would throw several CORS errors. The preflight checks negotiated between the browser and these domains no longer matches the payload that's "stolen" by the appliance (for scanning).
We solve this behavior by specifying SSL bypasses.
In the XG, we visit Web > Exceptions, and click the "Add Web Exception" button, and configure the domains above, into the exception settings:
Whitelisting our Email Sender
LemonadeLXP will send a variety of emails to your learners as it operates. Some of these are mission-critical, such as "New Account Created" emails and password-recovery emails. To ensure that these get through, please ensure that your MTA whitelists [email protected] - our email sending domain.