HTTPS decryption exclusion for splashtop and logmein

I need to be able to exclude Splashtop and logmein from SSL Inspection for them to work. I tried ^[A-Za-z0-9.-]*\.splashtop\.com/ which lets me connect through the client, but I am not able to remote into any machines. I am assuming that is because the remote aspect must be using another URL that is not covered under this expression. Anyone have experience with this one?

 

UPDATE: I found these on splashtop site

  • st2-relay.api.splashtop.com

  • st2.api.splashtop.com
  • *.relay.splashtop.com (including wildcard)

 

This is what I added into the Sophos exclusion list I have created and still does not work

^[A-Za-z0-9.-]*\.relay\.splashtop\.com/

^[A-Za-z0-9.-]*\.splashtop\.com/

st2.api.splashtop.com

st2-relay.api.splashtop.com

  • I am struggling with this EXACT problem!! were you able to find a solution??

  • In reply to Justin Rutledge:

    So far no. I am still doing testing trying to come up with something. I have a Sophos Engineer looking into this on Wednesday with me. I will update this post once we figure it out.

  • In reply to Chris Wright:

    Any insight at all today on this Chris?  I am digging myself trying to find something, and it is getting quite frustrating to be honest.

  • In reply to Justin Rutledge:

    Justin, so I reached out to splashtop and Sophos on this issue. The problem is Splashtop is using Amazon AWS for their remote connections and every connection is a different ip address. They are not using DNS so there is no way to allow splashtop in that that method. They recommended me to allow all of AWS Ip's.. Thats nuts. The best Sophos could do for me is we added the web category IPAddress which means that anything that is not resolving DNS and is just an IP address does not get filtered. This is the same issue with logmein the connection will not work unless I allow IPAddress in web categories. This is an issue with the way they handle their connections. If we could get an actual DNS name to these connections we could allow at the domain level.

  • In reply to Chris Wright:

    Chris,

    Thank you very much for getting back to me!  That all makes sense, but man what a pain.  At first glance that seems like a bit of an unsafe hole to punch in the firewall, but I'll have to think about it some more.  What a crazy thing that someone would not be using dns... 

  • In reply to Chris Wright:

    Could you expound on what settings you put in the web category to get splashtop through? Running into the same problem. Thank you.

  • Hi All,

    Besides the 2 sets of DNS servers needed for Splashtop (*.api.splashtop.com and *.relay.splashtop.com), Splashtop sets up end to end encryption.  Therefore, there will be "non-ssl" packets through port 443.  Please see this article for complete information:

    https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

    If the check tool - www.splashtop.com/check - passes, then it is likely the non-ssl packets on port 443 are being blocked by inspection.

    Thanks,

    Victor (Splashtop)

  • In reply to Joshua Nakano:

    The only way Support and myself were able to get this to work is to create another Web Protection Exception and put a check box in Web site categories then add IPAddress. Check on the right side HTTPS Decryption. I am not happy with this band aid since this exposes my network as long as someone goes to a site by IP address that would bypass the HTTPS Decryption. 

  • In reply to Victor Chin:

    That URL you sent passes all the way for me. I am able to log in to Splashtop app just fine. The problem is when you click on an endpoint to remote into this creates a connection with their AWS servers that is being done by IP address instead of DNS. The decrypt and scan wont work with this method. You have to exclude the IPAddress under web site categories to make this work. Splashtop support gave me a list of AWS ip addresses to exclude and it was nuts. Even after adding all of them it still did not work. If someone in support has found something that we can do about this please enlighten me. This is a Splashtop and logmein issue since they are not using DNS so there is no way to whitelist all of the random servers your remote sessions connect to. I am having the same issue with logmein.

     

    Server Name URL Status
    API server 1 https://st2.api.splashtop.com Success
    API server 2 st2-relay.api.splashtop.com Success
    Relay server 34-203-198-176.relay.splashtop.com Success
    Chrome connection server 1 wss://wbs.relay.splashtop.com Success
    Chrome connection server 2 wss://wbs2.relay.splashtop.com Success