Sophos UTM and Nest Camera

Question

So starting today I am getting no video through the web browsers on my wired network while webfilter is turned on. The wireless app on phones and ipads works fine. The website works and the nest thermostat works, but no video. 
 Lots of these when I reload the website..... 
 2017:03:28-20:02:23 adelman httpproxy[20271]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 237 bytes (HPE_INVALID_METHOD: invalid HTTP method)" 
 and some of these.... 
 2017:03:28-20:02:47 adelman httpproxy[20271]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.50.200" dstip="54.163.122.137" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllow (Block Nudity)" size="705" request="0x2d3b5e00" url=" czfe24-front01-iad01.transport.home.nest.com/" referer="" error="" authtime="0" dnstime="0" cattime="21" avscantime="0" fullreqtime="10020413" device="0" auth="0" ua="" exceptions="" 
 
 The only way I get it to work is to turn off or exempt the computer from webfiltering 
 
 any thoughts?

Ian Bodine · Accepted Answer

After attempting to troubleshoot this for a client we found that in developer mode in Chrome that the stream is attempting to open a websocket: wss://oculus1208-us1.dropcam.com:80/nexustalk. I believe this is not currently supported by the squid proxy server service Sophos UTM web filtering uses. It appears unlikely this will work until this is supported.

Ian Bodine · Answer

So while the UTM originally was not able to resolve the DNS host oculus1208-us1.dropcam.com once it finally resolved with an IP address adding it to the skip transparent mode destination list resolved the issue. This will likely change at some point and cause the video to go offline again, but it can be found using developer mode > networks in chrome to add the new URL. Just look for the connection trying to go through a websocket(starts with WSS:).

DouglasFoster · Answer

The error message indicates that it is not a normal http-compliant message. NEST is apparently implementing a custom protocol. 
 One research item will be to determine if the problem is on the PC-to-Cloud or Device-to-Cloud connection. Try connecting from a laptop outside of your house to see if you get video or not. 
 If the problem is with the NEST device connection, you could give them static IPs and whitelist based on the source. 
 Assuming that the problem is on the PC-to-Cloud connection, you probably have to do a whitelist based on the destination. Try this: 
 
 Re-enable web filtering and remove the exception that you created previously. 
 Create a website exception for home.nest.com with the box checked for "Include subdomains". Assign it the tag "Nest Bypass" 
 Create an exception object and check the boxes to disable all features, for websites with "Tag = Nest Bypass" 
 Test. 
 Assuming it works (I think it will), you can try turning filter options back on to see whether things still work or start breaking. The fewer enabled exceptions the better.