Unplanned
Last Updated: 13 Apr 2021 05:41 by ADMIN
Sean
Created on: 26 Jun 2020 12:39
Type: Bug Report
2
Issue with Fiddler Everywhere + Corporate VPN

MacOs, Fiddler Everywhere 10, Cisco AnyConnect.

Here's the workflow...

In the morning, Cisco VPN isn't connected.  All traffic is blocked by design.  Attempt to start Fiddler Everywhere.  WON'T START because it can't login.  What is this new requirement to login?  If I don't start Fiddler before the VPN, no traffic ever logs.  If i don't start the VPN, Fiddler won't start.  A bit of a cartch-22, ya think?

Somehow I bypass the VPN (Don't tell corp security) and get logged-in.  Fiddler is up.  Start the VPN. Get some work done.  Shiny new UI!  Still can't drag-drop from inspector to composer?  Damn.

At some point the Fiddler login EXPIRES.  Why does it expire?  What do I even need a login for?  At this point ALL TRAFFIC fails, since Fiddler was the system proxy.  All work stops.  Now I need to stop Fiddler, Stop the VPN, attempt to start Fiddler again....oh wait, can't login because the VPN is down...  here we go again.

This is all a serious waste of time.  I can see registering Fiddler so you know who your users are.  What's with the REQUIREMENT to have a login, and why does it expire?  It kinda makes Fiddler useless.

Please remove the requirement to login to an account before being able to use Fiddler Everywhere.

 

Thanks,

Sean

22 comments
ADMIN
Nick Iliev
Posted on: 13 Apr 2021 05:41

Hello Sean,

 

Thanks for the feedback! The team has acknowledged the importance of solving this issue, and we will post more once we have a stable solution that solves your specific scenario.

As for the login flow, I should say that our application structure and business model are still requiring user accounts and a login system, so that this point, the team is not considering chaining that part.

 

Regards,
Nick Iliev
Progress Telerik

Тhe web is about to get a bit better! 

The Progress Hack-For-Good Challenge has started. Learn how to enter and make the web a worthier place: https://progress-worthyweb.devpost.com.

Sean
Posted on: 08 Apr 2021 16:28

Nick,

 

We're doing all our development on Macs and deploying on Linux.  Classic Fiddler isn't an option. 

It was implied below that perhaps the free version could be made with an anonymous login to get around this problem. 

Even if we bought the paid version (which is an option), we would still have the issue with the VPN.  I can't imagine that I'm the only one having this issue.

The timeout is a minor annoyance caused by the login requirement.  That's not really my focus.  The real issue is that when I started using Fiddler Everywhere version .10 it was working great.  At some point you added the required login that made it unusable for people behind corporate VPNs.

Sean

ADMIN
Nick Iliev
Posted on: 08 Apr 2021 14:07

Hey Sean,

 

As stated in the requirements section, the Fiddler Everywhere application requires access to several endpoints. The Fiddler Everywhere client supports Cisco VPN and could cache the proxy settings once they are successfully applied. However, you would still need access to the Internet (specifically to the listed API endpoints) to use the application. The decision to use a login flow is based on the primary functionality that Fiddler Everywhere provides - the collaboration and sharing capabilities. All of them depend on the existence of individual accounts and a login system that can differentiate users and allow them to store, share and receive recorded Session, Composer requests, and Auto Responder rules. All of the above is why Fiddler Everywhere uses a login system and why active access to the Internet is a mandatory requirement.

The expiration of the currently logged account is a standard security practice. The idea behind the expiration period is to protect users from accidentally leaking sensitive information, which Fiddler Everywhere as MITM will indeed contain. However, what is strange here is that our default expiry period is 30 days. We are checking the validity of the refresh token (from the local storage) every 50 minutes, which means that in your case, the token could not be verified or, for some reason, is no longer valid. It might be that your corporate security rules are preventing the Fiddler Everywhere client from checking for token validity or from accessing the local storage.

 

Side note: Alternatively, you could still use theclassic Fiddler which is available for Windows and does not require Internet access or login credentials.

 

Regards,
Nick Iliev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

Sean
Posted on: 08 Apr 2021 12:24

Nick,

 

It's now been 10 months since I first posted this issue.  In at least 2 responses you guys were working on it "at this very moment."  How's the solution coming?  Is there an expected release date?

 

Thanks,

 

Sean

ADMIN
Nick Iliev
Posted on: 12 Feb 2021 07:14

Hello Sean,

 

Indeed I have somehow missed the previous part of the thread, so please accept my apologies for that!

As for the issue you are facing - at this very moment, the team is still working on a solution for your specific case. We will update this thread as soon as we have more insights.

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Sean
Posted on: 11 Feb 2021 20:50

I don't want to be rude, but you obviously didn't read the thread.  I have clearly stated the VPN I'm using, and the issue I'm having.  Let me paste on of my previous posts...

 

MacOs, Fiddler Everywhere 10, Cisco AnyConnect.

Here's the workflow...

In the morning, Cisco VPN isn't connected.  All traffic is blocked by design.  Attempt to start Fiddler Everywhere.  WON'T START because it can't login.  What is this new requirement to login?  If I don't start Fiddler before the VPN, no traffic ever logs.  If i don't start the VPN, Fiddler won't start.  A bit of a cartch-22, ya think?

Somehow I bypass the VPN (Don't tell corp security) and get logged-in.  Fiddler is up.  Start the VPN. Get some work done.  Shiny new UI!  Still can't drag-drop from inspector to composer?  Damn.

At some point the Fiddler login EXPIRES.  Why does it expire?  What do I even need a login for?  At this point ALL TRAFFIC fails, since Fiddler was the system proxy.  All work stops.  Now I need to stop Fiddler, Stop the VPN, attempt to start Fiddler again....oh wait, can't login because the VPN is down...  here we go again.

This is all a serious waste of time.  I can see registering Fiddler so you know who your users are.  What's with the REQUIREMENT to have a login, and why does it expire?  It kinda makes Fiddler useless.

Please remove the requirement to login to an account before being able to use Fiddler Everywhere.

ADMIN
Nick Iliev
Posted on: 11 Feb 2021 13:52

Hey Sean,

 

What is the VPN tool used on your side?

The latest version of Fiddler Everywhere supports some of the VPN tools, but some steps need to be taken on the initial startup. Once Fiddler Everywhere configures the proxy, it will "remember" the applied settings and apply them for any consecutive startups.

Here is an article with instructions on configuring Fiddler Everywhere alongside Cisco VPN.

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Sean
Posted on: 09 Feb 2021 19:40

Any progress on this?  Is it somewhere on the roadmap?  I'd love to use Fiddler again, but the VPN issue is a bit of a show-stopper.

 

Thanks,

 

Sean

ADMIN
Nick Iliev
Posted on: 21 Oct 2020 07:05

Hey Sean,

 

At this very moment, Fiddler Everywhere requires having direct internet access (see the system requirements here). After your clarification that you don't have Internet access without the VPN, it is expected that the client is unable to complete the login process.

The team is currently discussing the possibilities to provide an anonymous login option (which won't require access to the Internet). Adopting a similar workflow will also allow more opportunities for cases like yours (where a VPN is needed for accessing the login endpoints).

 

Thank you once again for all the provided data - I will follow your suggestions to the team.

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Sean
Posted on: 20 Oct 2020 13:53

I really feel like you don't understand the issue.  My corporate VPN restricts ALL INTERNET connections to pass through the VPN.  If the VPN is not up, NO INTERNET access.  No split tunnel.

So I downloaded Fiddler Everywhere 1.1.1 and installed it.  

I disconnected from the VPN.

I started Fiddler Everywhere 1.1.1.  It hung at "Please Wait" forever, trying to contact the login server.  Since the VPN isn't UP, there's NO INTERNET and thus Fiddler Everywhere cannot login.  Since it can't login, it never starts.

Just for fun, I logged back into the VPN, started fiddler, and added the new config option, closed fiddler and the VPN, and tried to start Fiddler again.  Save results.  Fiddler never starts because it can't contact the login server because the VPN isn't up.

You may have solved one problem.  IF fiddler ever started, you are right, it shouldn't try to proxy the VPN server connection.  The problem is, Fiddler will never start.

If you MUST contact the login server, you'll need to do it AFTER the VPN is up.

Sean

 

ADMIN
Nick Iliev
Posted on: 20 Oct 2020 13:10

Hello Sean,

 

 

Thank you for pointing that out! Here is a working link to the KB article:

https://docs.telerik.com/fiddler-everywhere/knowledge-base/configure-vpn-with-fiddler

 

 

Regards,
Nick Iliev
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

Sean
Posted on: 20 Oct 2020 12:47

Your KB article link is broken.

 

Oh no!
It seems we've lost this page

ADMIN
Nick Iliev
Posted on: 20 Oct 2020 10:53

Hi everyone,

 

We've recently improved the VPN experience with Fiddler Everywhere. You can refer to this KB article about configuring Fiddler Everywhere alongside a tool like Cisco VPN.

 

Regards,
Nick Iliev
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

Sean
Posted on: 04 Aug 2020 12:40

+1 for removing the login/collaboration/whatever from the free version.  Auth won't work unless your corp allows a "split tunnel".

 

I'm on a Mac. "Classic Fiddler" isn't an option.

 

Thanks,

 

Sean

ADMIN
Nick Iliev
Posted on: 04 Aug 2020 11:42

Hello Ton,

 

Thanks for the feedback on the EULA and for your suggestion about the Free version. We will have a planning meeting soon and will discuss the possibilities and the future of Fiddler Everywhere. So far the idea is that each user should authenticate (so that if a user decides to upgrade it will be done on-the-fly and without losing any of the already shared/saved content).

 

Regards,
Nick Iliev
Progress Telerik

Ton
Posted on: 04 Aug 2020 10:59
BTW, you could rip the authentication part out of the free version.
Ton
Posted on: 04 Aug 2020 10:57

Thanks for the fast response, Nick. I'll give it a shot and see how it compares to other solutions i am trying out.

 

Good and clear EULA, BTW. The only part i don't like is the selling of user data, but i guess that's inevitable nowadays.

ADMIN
Nick Iliev
Posted on: 04 Aug 2020 10:45

Hi Ton,

Fiddler Everywhere is providing a new set of functionalities related to sharing and collaboration. With FE, you can now share captured traffic, autoresponder rules, and composer requests. Fiddler Everywhere also comes in different flavors (Free, Trial, and Pro versions), which are also requiring authentication to distinguish different users and to provide account-based licensing. Fiddler is strictly following GDPR requirements, and no information is being reused outside Fiddler Everywhere client needs. You can refer to our detailed EULA page for more details on the user agreement.

I want to note that the classic Fiddler is still available and doesn't require authentication. However, it is available only for Windows.

Regards,
Nick Iliev
Progress Telerik

Ton
Posted on: 04 Aug 2020 09:50

@Sean, can you please comment on Nick's question on WHY we need to create an account and log in to Fiddler? I have downloaded Fiddler because i want to try it out, but i think the fact that you need to log in to a locally installed tool is quite fishy. This prevents me from installing it till now.

Please clarify the reason behind having to use a mandatory account for a MITM/Proxy tool.

 

Thanks,

 

Ton.

ADMIN
Nick Iliev
Posted on: 09 Jul 2020 10:43

Hi Sean,

 

It seems that after all your issue is entirely related to how your company is accessing the Internet which is after a VPN connection is established. Fiddler is trying to refresh the authentication token after a specific amount of time but the operation is not completing due to the VPN specifics in your case.

We are aware that using Fiddler with VPN software (like Cisco AnyConnect or similar) is a must and the team is researching the possibilities to enable this feature. I've escalated the feature priority and I will let you know as soon as we have more insight about a possible implementation in the near releases.

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.
Sean
Posted on: 07 Jul 2020 13:50

TBH, the login expiration is about once a day, but any interruption that requires me to hack my corporate VPN in order to use a tool is unacceptable, even if it is once per day.

My company is currently 100% work-from-home, Cisco VPN.  This login "feature" is making fiddler useless.

logs attached.

  
Attached Files:
ADMIN
Nick Iliev
Posted on: 29 Jun 2020 10:01

Hello Sean,

 

Thank you for your valued feedback!

I can confirm that at this moment, FE is not working alongside an active VPN connection (like one made with Cisco VPN). The team has already acknowledged the issue, and these tasks are one of our priorities for the upcoming feature releases.

As for the issue related to FE account expiration and the following non-working traffic, it looks like that on your side, the proxy is not reset once the FE credentials expired. It is also strange that you are experiencing a login expiration way too often. Can you please make sure that you are using the latest version of Fiddler Everywhere, and if the issue is still there, please send us the FE logs. On Mac OS these logs should be located in the following directory:

~/Library/Application Support/Fiddler Everywhere/Logs

 

Regards,
Nick Iliev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.