Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 10 subscribers
  • Views 44217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM and Nest Camera

RobertAdelman

So starting today I am getting no video through the web browsers on my wired network while webfilter is turned on.  The wireless app on phones and ipads works fine.  The website works and the nest thermostat works, but no video.  

Lots of these when I reload the website.....

2017:03:28-20:02:23 adelman httpproxy[20271]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 237 bytes (HPE_INVALID_METHOD: invalid HTTP method)"

and some of these....

2017:03:28-20:02:47 adelman httpproxy[20271]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.50.200" dstip="54.163.122.137" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllow (Block Nudity)" size="705" request="0x2d3b5e00" url="czfe24-front01-iad01.transport.home.nest.com/" referer="" error="" authtime="0" dnstime="0" cattime="21" avscantime="0" fullreqtime="10020413" device="0" auth="0" ua="" exceptions=""

 

The only way I get it to work is to turn off or exempt the computer from webfiltering

 

any thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    Sorry no other suggestions. I been trying on and off for about a year to get it to work.  Something with the way webfiltering proxy changes the connection prevents it from working. I just use my app on my phone or iPad to check video feeds while on the utm network.

  • 0 in reply to RobertAdelman

    Neither the app on my phone or any web browsers can reach the live video feed from any devices on my network. If I'm on my phone and disconnect from WIFI, I get the live video feed no problem. I've been pouring through logs all day trying to find a solution, but I'm coming up short...

    Really frustrating.

Reply
  • 0 in reply to RobertAdelman

    Neither the app on my phone or any web browsers can reach the live video feed from any devices on my network. If I'm on my phone and disconnect from WIFI, I get the live video feed no problem. I've been pouring through logs all day trying to find a solution, but I'm coming up short...

    Really frustrating.

Children
  • 0 in reply to MichaelStratton

    I never had an issue with the apps. I will check my nest settings and let you know.

  • 0 in reply to RobertAdelman

    I don’t have anything setup for the nest app. I have all my nest devices on a separate Wi-Fi that uses its own dhcp server separate from the Sophos utm. I then have that Wi-Fi lan setup up with full bypass of firewalls and webfiltering.  The app works with video and settings etc. the computer only works for settings and one initial still image .  That was all I could get to work. When I turn off the web filtering the video works on the pc.

    I tried to get Sophos to help by sending the error I get, see earlier posts, but never got a response because I have the home free version.

    Good luck

  • 0 in reply to RobertAdelman

    Don't give up so easily.   You cannot solve the problem because you do not have enough data.

    Since web filtering throws unexplained errors, start by turning off web filtering.   Then find the allow-all rule at the bottom of your firewall rules and tell it to log everything.

    Determine the current IP address of your PC and of your Nest.   Based on your reports, the PC address is probably most important.

    Then connect to the Nest video center.   Everything should work normally.  Finish your session, and download the log file. You may need to do several iterations to get a good handle on the Nest behavior.

    Don't be surprised if it connects to multiple locations on multiple ports.   Watch for connections based on IP address as well as connections based on a host name.

    Report back with what you learned, and we can begin crafting a strategy for making the traffic flow through UTM successfully.

  • 0 in reply to DouglasFoster

    I have investigated this and have eliminated all other possibilities.  The PC behind the sophos utm with web filtering enabled generates these two errors when ever I tried to load a nest camera feed.

    2018:12:15-20:44:21 adelman httpproxy[13986]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 517 bytes (HPE_INVALID_METHOD: invalid HTTP method)"

    2018:12:15-20:44:21 adelman httpproxy[13986]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x972ac00" function="read_request_headers" file="request.c" line="1590" message="unable to parse a http message on handler 113 (Resource temporarily unavailable)"
     
    The connection to the nest cameras is not directly to the camera's but to the nest servers.  I have an ipad and iphone and the nest app works fine with the web filtering enabled.  The connection between the cameras and the nest server is functioning fine, no blocks or errors.
     
    It started about two years ago when nest updated their software.  Internet explorer 11(windows 7 version) worked for about 6 months then it too started to generate this error.  The only way for the nest feed to work on a pc behind the sophos utm is to disable the web filtering.  It has something to do with the way nest sends the data and then the proxy in transparent mode or full transparent modifies the headers I think.  The actual connection is seen in the webfilter log as(see below) and it is logged as being allowed through so no exception or website reclassification will change the action because the connection is already allowed through.
     
    2018:12:15-07:53:37 adelman httpproxy[5608]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.20.30.33" dstip="35.201.70.64" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo4 (Internal Network)" filteraction="REF_HttCffAllow (Default Level Filter)" size="6285" request="0x33c98400" url="webapi.camera.home.nest.com/" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="191507563" device="0" auth="0" ua="" exceptions="" overridecategory="1" overridereputation="1" category="178" reputation="trusted" categoryname="Internet Services"
     
     

     

  • 0 in reply to RobertAdelman

    After attempting to troubleshoot this for a client we found that in developer mode in Chrome that the stream is attempting to open a websocket: wss://oculus1208-us1.dropcam.com:80/nexustalk.  I believe this is not currently supported by the squid proxy server service Sophos UTM web filtering uses.  It appears unlikely this will work until this is supported.  

  • 0 in reply to Ian Bodine

    That explains why it only works when the web url filter is disabled. I thought as much it was an incompatibility.

    Thanks

  • 0 in reply to RobertAdelman

    I knew I had seen something about WebSockets support, so I search this forum.   It seems that 9.6 added support for WebSockets in WAF, but not yet in WebFilter.

  • 0 in reply to Ian Bodine

    Is there a way to allow a bypass for this in web filtering? I have tried a number of different exceptions and regex style matching but haven't had any success. The only thing that resolves this is reverting to standard mode.

  • 0 in reply to Tom E

    Nope. It’s an incompatibility between the code nest uses and the web filter.  The apps work on phones and pads, but any filtered windows computers do not work with the video.  Settings and thermostats work fine, just not video.

  • +1 in reply to RobertAdelman

    So while the UTM originally was not able to resolve the DNS host oculus1208-us1.dropcam.com once it finally resolved with an IP address adding it to the skip transparent mode destination list resolved the issue.  This will likely change at some point and cause the video to go offline again, but it can be found using developer mode > networks in chrome to add the new URL.  Just look for the connection trying to go through a websocket(starts with WSS:).  

Unfiltered HTML