Sophos UTM and Nest Camera

Sorry no other suggestions. I been trying on and off for about a year to get it to work.  Something with the way webfiltering proxy changes the connection prevents it from working. I just use my app on my phone or iPad to check video feeds while on the utm network.

Neither the app on my phone or any web browsers can reach the live video feed from any devices on my network. If I'm on my phone and disconnect from WIFI, I get the live video feed no problem. I've been pouring through logs all day trying to find a solution, but I'm coming up short...

Really frustrating.

I never had an issue with the apps. I will check my nest settings and let you know.

I don’t have anything setup for the nest app. I have all my nest devices on a separate Wi-Fi that uses its own dhcp server separate from the Sophos utm. I then have that Wi-Fi lan setup up with full bypass of firewalls and webfiltering.  The app works with video and settings etc. the computer only works for settings and one initial still image .  That was all I could get to work. When I turn off the web filtering the video works on the pc.

I tried to get Sophos to help by sending the error I get, see earlier posts, but never got a response because I have the home free version.

Good luck

Don't give up so easily.   You cannot solve the problem because you do not have enough data.

Since web filtering throws unexplained errors, start by turning off web filtering.   Then find the allow-all rule at the bottom of your firewall rules and tell it to log everything.

Determine the current IP address of your PC and of your Nest.   Based on your reports, the PC address is probably most important.

Then connect to the Nest video center.   Everything should work normally.  Finish your session, and download the log file. You may need to do several iterations to get a good handle on the Nest behavior.

Don't be surprised if it connects to multiple locations on multiple ports.   Watch for connections based on IP address as well as connections based on a host name.

Report back with what you learned, and we can begin crafting a strategy for making the traffic flow through UTM successfully.

I have investigated this and have eliminated all other possibilities.  The PC behind the sophos utm with web filtering enabled generates these two errors when ever I tried to load a nest camera feed.

2018:12:15-20:44:21 adelman httpproxy[13986]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 517 bytes (HPE_INVALID_METHOD: invalid HTTP method)"

I have investigated this and have eliminated all other possibilities.  The PC behind the sophos utm with web filtering enabled generates these two errors when ever I tried to load a nest camera feed.

2018:12:15-20:44:21 adelman httpproxy[13986]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 517 bytes (HPE_INVALID_METHOD: invalid HTTP method)"

After attempting to troubleshoot this for a client we found that in developer mode in Chrome that the stream is attempting to open a websocket: wss://oculus1208-us1.dropcam.com:80/nexustalk.  I believe this is not currently supported by the squid proxy server service Sophos UTM web filtering uses.  It appears unlikely this will work until this is supported.  

That explains why it only works when the web url filter is disabled. I thought as much it was an incompatibility.

Thanks

I knew I had seen something about WebSockets support, so I search this forum.   It seems that 9.6 added support for WebSockets in WAF, but not yet in WebFilter.

Is there a way to allow a bypass for this in web filtering? I have tried a number of different exceptions and regex style matching but haven't had any success. The only thing that resolves this is reverting to standard mode.

Nope. It’s an incompatibility between the code nest uses and the web filter.  The apps work on phones and pads, but any filtered windows computers do not work with the video.  Settings and thermostats work fine, just not video.

So while the UTM originally was not able to resolve the DNS host oculus1208-us1.dropcam.com once it finally resolved with an IP address adding it to the skip transparent mode destination list resolved the issue.  This will likely change at some point and cause the video to go offline again, but it can be found using developer mode > networks in chrome to add the new URL.  Just look for the connection trying to go through a websocket(starts with WSS:).