Can't Connect to Jira Cloud Instance from behind a corporate firewall

usability
server
known
(Cmartin) #1

We’re running an Octopus Server behind a corporate firewall. We have Jira Cloud and I’m trying to get the final piece of this working. I’ve got the Release Notes set up and that’s working fine. However I can’t seem to get the Jira base url with the Connect App Password working. Here’s the error I get when I click the Test (or try to deploy when this is enabled):

An error occurred while sending the request. Unable to connect to the remote server No connection could be made because the target machine actively refused it 52.187.229.23:443

I’m guessing that’s in the IP range of Jira cloud’s hosting?? I’ve tried a few things around the proxy without luck:

  • Using the default proxy (proxy pac file in this case).
  • Specifying custom proxy and pointing it to one of our proxy servers (with and without auth)
  • Setting the Jira base url to our Kong api receiver that points to the Jira cloud api. (this is how we usually hit the api internally as it’s got all the proxy baked in)

It’s weird that the Work Items are getting retrieved just fine. So that’s making me think that it isn’t necesarrily the proxy (as some traffic at least is getting through). Just whatever redirect is occuring to that IP is getting blocked.

(Tina) #3

Hi,
Thank you for getting in touch!

The Connect App Test checks the connectivity for pushing deployment data to your Jira Cloud instance. For this connectivity test to succeed, your Octopus server must be able to connect to both your Jira Cloud instance’s URL and to https://jiraconnectapp.octopus.com, which hosts our Jira plugin.

Work items, on the other hand, using the Release Notes Test, are dependent on the ability to connect to your Jira Cloud instance URL. The error is likely related to our plugin URL.

Verify that you can access both your Jira cloud Instance and the Jira Plugin from your Octopus Server and let me know how it goes.

Look forward to hearing from you shortly.

Kind Regards,
Tina

(Cmartin) #4

Ahh, the “https://jiraconnectapp.octopus.com” is indeed blocked on our machines. Any reason why that connection from Octopus isn’t going through the proxy that Octopus uses? That should just take care of the problem.

Is that endpoint configurable any way? If so, I think I can set something up within our Kong instance to handle it.

(Tina) #5

Hi,
Unfortunately, the Connect App hosted location is not configurable. Alternatively, there is one more thing you can check that has been an issue for other Customers.
I think it’s worth checking that you have Permissions in Jira to Manage third party Apps. You may have permission to Add apps but not manage them.

Give that a try and let me know how it goes.

Thank you,
Tina

(Cmartin) #6

I do indeed have add ad manage permissions as I’m the Jira admin for our organization. However, the the service account with the apikey being used… does it need those permissions?

(Tina) #7

I believe it does, but I’m not 100% sure. I’m touching base with one of my teammates to get you a more definitive answer.

(Tina) #8

Ok. So I was 100% wrong on the permissions and you were dead on that the proxy should handle this. We may have a bug here.

Would you be able to confirm this for us by temporarily Whitelisting the Connect App URL and see if that works?

Tina

(Cmartin) #9

Just go back into the office from a quick vacay and this is excellent news. I’ll put in a request with our security team and get back to you shortly.

1 Like
(Cmartin) #10

We’re currently in our end of year change freeze. I’ve put in a request and they’ll process it after it’s lifted (start of the New Year). Sorry for the delay.

(Tina) #11

That’s not a problem at all. Thanks for the update.

As it turns out this is a known issue that being considered for resolution in the new year and the current workaround is whitelisting the JIra Connect App url. This should provide a temporary solution until we release a fix.

Hope you have a great Holiday! Talk to you in the new year.

(Cmartin) #12

Change freeze is up and we tested the whitelist and things look good!

Any chance you have an ETA on this fix going out? Our security team is a bit hesitant to keep this in place.

Thanks!

(Tina) #13

Hi @cmartin1,
So glad to hear it! Not a presise ETA, but we have had a few more customer report this as a blocker for them which has pushed it up the priority list. Currently, the team is triaging how to add the feature and will create a GitHub issue once they’re ready to work on it. I’ll send you the Github issue once they’re at that point.

I hope this helps!

Tina

(Tina) #14

Hi @cmartin1,
As promised, the Github issue 6095 has been open to resolve the Connection errors you’re seeing caused by Octopus being behind a proxy. These changes will be rolled out shortly, in the next LTS version and possibly the next fast aswell.

Don’t hesitate to let me know if you have any follow-up questions.

Kind Regards,
Tina