Sophos UTM and Nest Camera

I guess I would suspect a recent update to the NEST camera's firmware, Robert.  You can select to skip only the traffic to a DNS Group for czfe24-front01-iad01.transport.home.nest.com.  Any luck with that?

Cheers - Bob

I tired that, but I noticed the number "24" in the czfe"#" changes.  Is there away to make it variable?

I created a dns record for 01-29, but the reall issue I think is the 

2017:03:29-12:10:23 plymouthvalleydental httpproxy[7978]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x32ce9000" function="read_request_headers" file="request.c" line="1550" message="unable to parse a http message on handler 340 (Resource temporarily unavailable)"

"I tired that, but I noticed the number "24" in the czfe"#" changes.  Is there away to make it variable?"

DNS can't handle that.  Your best bet is to change to a Web Filtering Profile that's in Standard mode.  Then, your client browser is where you can "program" skips like: .transport.home.nest.com

Cheers - Bob

I'm getting a lot of users complain about not being able to use Nest cams to check on their home security.   

Lots of the 

httpproxy[12083]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 205 bytes (HPE_INVALID_METHOD: invalid HTTP method)"

and 

httpproxy[12083]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x155a6600" function="read_request_headers" file="request.c" line="1550" message="unable to parse a http message on handler 5 (Resource temporarily unavailable)"

It actually is something with google chrome and Sophos and nest.  It works in internet explorer 11.

Has there been any other fixes for this. IE 11 now acts like chrome. Users can not view the nest cams.

I had a few minutes and figured out its the web protection, specifically the operation mode.  When transparent (Full or regular) is selected it prevents the nest camera from displaying on home.nest.com.  I have not found a way to allow it to work while the filtering proxy is on.

The error message indicates that it is not a normal http-compliant message.   NEST is apparently implementing a custom protocol.

One research item will be to determine if the problem is on the PC-to-Cloud or Device-to-Cloud connection.   Try connecting from a laptop outside of your house to see if you get video or not.

If the problem is with the NEST device connection, you could give them static IPs and whitelist based on the source.

Assuming that the problem is on the PC-to-Cloud connection, you probably have to do a whitelist based on the destination.   Try this:

• Re-enable web filtering and remove the exception that you created previously.
• Create a website exception for home.nest.com with the box checked for "Include subdomains".  Assign it the tag "Nest Bypass"
• Create an exception object and check the boxes to disable all features, for websites with "Tag = Nest Bypass"
• Test.
• Assuming it works (I think it will), you can try turning filter options back on to see whether things still work or start breaking.   The fewer enabled exceptions the better.

Thanks for the thoughts. I can’t do the designated in addresses because the utm is not the dhcp for the nest devices. I have open mesh cloudtrax wireless system and it allows for 4 SSID which can either be part of the utm dhcp or have it’s own.  It helps me keep under the 50 ip limit.

I tried the other recommendations they did not work.  

Another fact:  I turned off the web filter on the utm at my house, website worked at home and tried the website at my office which also has a sophos utm with the web filter turned on. Same issue same errors reported.  Also just to let you know the nest app works fine internally and externally.   I have remote access to another computer behind a standard netgear router and it works fine in chrome with the source sophos utm webfilter turned on.   It does not seem to be interfering with sending from the devices. Just receiving in the browser through the sophos utm webfiltering.