This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CNN Live | Octoshape | Without LAN -> ANY= Allow

Hi

- I do Not have LAN -> ANY = Allow rule.
- This is because I want to force traffic over HTTP Proxy.
- One problem I face is I can never get those CNN Live to work. I can get the CNN Video to work but not the Live.
- CNN Live is free sometime during crisis such as the current Tsunami issues.
- I do not mind to "by pass" *.cnn.com from the HTTP Proxy to get this to work as I do understand there are times it is not compatible.
- Problem is even if bypass *.cnn.com from the HTTP Proxy, it does not work too.
- It uses this Octoshape etc which seems to be P2P.
- I disabled IPS, P2P/IM all those settings and still does not work.
- The only way I can get this to work is via a LAN -> ANY = Allow but that is a very bad configuration as it does not control what goes out.
- Any idea ?

This thread was automatically locked due to age.

0 BarryG over 16 years ago

Hi, you can look at the http proxy log, ips log, and packetfilter log, to see where it's getting blocked, and proceed from there.

Barry
Cancel
Vote Up 0 Vote Down
- 0 Alvin over 16 years ago in reply to BarryG
  
  Hi BarryG
  
  1) I am sure it is the Packet Filter because I see tons of drop but this Octoshape is P2P thus it is impossible to configure the rules to match those IP.
  
  2) I confirmed the above by doing a LAN -> ANY = ALLOW and it all works nicely with all the IPS, P2P (Block all), IM (Block file transfer, only allow MSN, Log Skype, Deny rest)
  
  3) But if I do a LAN -> ANY = Allow just to use Octoshape, it does solve this problem but the Firewall is not as well configured as ideally we want the Firewall to control what goes out and when we have a LAN -> ANY Allow, on top of not able to ensure / enforce traffic goes via Proxy, it also makes it hard to detect unauthorized activities.
  
  4) Actually do you guys lock down your Firewall without LAN -> ANY = Allow.
  If yes, I just need to confirm I am not the only guy having this Octoshape Issue.
  
  5) Right now I am not sure it is my configuration or really Octoshape simpyl cannot work via the HTTP Proxy without a LAN -> ANY ALLOW rule.
  Cancel
  Vote Up 0 Vote Down
0 BarryG over 16 years ago

Maybe an exclusion in the proxy for cnn.com would help, and an LAN->ANY HTTP Allow would work?

CNN and Octoshape seem to not only refuse to document their protocol; their EULA forbids using your firewall logs to document their protocol. As if.

Barry
Cancel
Vote Up 0 Vote Down
0 William Warren over 16 years ago

octoshpae is a p2p technology. Octoshape - Wikipedia, the free encyclopedia

I would try using the non octoshpe feed. octoshape is going to try to go around any blocking it finds and is NOT scannable or passable by the http proxy. If you want to use octoshpae you'll have to setup your astaro in the same way you would if you wanted to properly use bitorrent.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
- 0 Alvin over 16 years ago in reply to William Warren
  
  William,
  
  Thank You for reply,
  
  - Yes I do know Octoshape is P2P.
  - CNN Live ( Not the Video) does not have other option other than Octoshape.
  - IE: If you choose No, it simply stops there. There is no such option such as Use Octoshape is Better but if somehow it does not work, here is the traditional feed.
  - I just need to confirm others are facing this issue too assuming they do not have a LAN -> ANY = Allow and also to check when deploying Astaro to Companies who would want to ensure they do not have a LAN -> ANY= Allow, how to still allow such streaming contents.
0 William Warren over 16 years ago

I jsut went to cnn live.  It asked me if i wished to install octoshape..i said no..streams went fine.  I only have http proxy on in transparent mode on with the basic masq rule for this test.  Octoshape is being blocked because it can't be automatically proxied.  As per their FAQ:

Where does the Octoshape plugin obtain its proxy settings from?
The  plugin uses the proxy settings of Internet Explorer. On versions of  Windows prior to Windows 2000 service pack 3
and Windows XP service  pack 1, the plugin is not able to detect proxy settings automatically,  even
if Internet Explorer is configured to use a proxy.

so you would have to run the proxy in manual mode and point ie/FF at the proxy then octoshape would try to use the proxy.  Other than this the only way is to setup for BT which is a pain for more than a couple of machines.  My advice?  Try the proxy option set ie to point to the astaro proxy via GP..if it doesn't work switch your proxy back and just don't support octoshape.  I have disabled via GP my users abilities to install anything which effectively blocks this from being a problem.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
- 0 Alvin over 16 years ago in reply to William Warren
  
  William,
  
  - Appreciate the detail reply.
  - Really glad you got it to work, at least this way I know it is something I need to tune in my configuration.
  - You do Not have a LAN -> ANY = Allow right?
  
  1) Just to be sure, I connected my Laptop to another broadband connection with a normal 3COM Router.
  1.1) Yes on CNN Live, if I click NO, it does stream the normal method after a while of connecting .....but at least the display is the more positive bright which you can see is different below.
  1.2) This also help to confirm it is not Kaspersky Internet Security or any other issues on the Laptop itself.
  
  2) I connected back to Astaro
  2.1) I am currently using Transparent mode.
  2.2) When I say No to Octoshape, yes the window (darken) would show connecting but evenually cannot connect to server.
  2.3) I tested Both Firefox and IE ( All Latest version) just to confirm it is not browser issue.
  2.4) On IE: I set the proxy to Astaro Port 8080 and confirmed web surfing is fine. But I still cannot get the Live to work.
  
  3) You mentioned that yours work in Transparent Mode, then why at the bottom suggested that set Proxy to Manual (I assume the manual is on Astaro) and then point IE to Astaro.
  
  4) I changed HTTP/S Proxy to STANDARD Model.
      I set my Firefox and IE Proxy to point to Astaro IP Port 8080 for all protocols.
      Web Surfing is fine.
      HTTPS Website is fine ( I also check the lock to see my Astaro is in place)
      Tested the CNN Live, said No to Octoshape and same problem, page remains "dark" with the spinning circle at the end connecting..and eventually it does not connect.
      I also confirmed on my HTTP Proxy I Enabled Bypass content scanning for streaming content.
  
  Thus it seems on top of Octoshape, the normal CNN Live I also have issues.
  
  But if I choose CNN Video, they are fine.
  CNBC Streaming is fine too.
0 William Warren over 16 years ago

it works in transparent mode if you DO NOT use octoshape.  If you decide to support octoshape then you have to follow the faq quote i posted.  When i tested your issue i did NOT have a general allow rule active.  Only the base dns packet filter rule, base masq and proxy in transparent mode.  The video may not quite as nice but it was not so far below that having to wholesale redo my astaro to support an invasive, proprietary protocol isn't worth it.

THe reason why it would work under a 3com router is because for outgoing it has a default allow all outgoing traffic by default.  Astaro is deny all by default.

I'll retest with transparent proxy..maybe i just "got lucky" but if cnn won't work through transparent try setting it as a full whitelist exception in the proxy area.  However since it's only cnn that seems to be the problem i would be highly disinclined to lower the base security level of my businesses security for one website.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
0 William Warren over 16 years ago

Ok cnn runs their flash app on a different port than port 80 even if you don't use octoshape. cnn live video will not work without looking at the logs and figuring their ports. I just started the live video at twitlive.tv and it works fine. it's something specific to cnn.com and how they have their app configured. I do run an any allowed outgoing rule here for convenience case but when i am trying to help a fellow user i turn those rules off..astaro does make it easy to test various configurations..[:)]

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
- 0 Alvin over 16 years ago in reply to William Warren
  
  Hi William,
  
  - Sorry if I caused any frustration with my clarification.
  - Yes I do have problems understanding some sentences as in after I read the whole sentence I get confused what it means. It is due to my poor english.
  
  Thus just to clarify.
  
  1) If I choose to use Octoshape, I must use Standard Proxy on Astaro and configure all the Browsers in IE and Firewall to point to Astaro:8080 and this way Octoshape would use Astaro:8080.
  
  2) if I choose Not to use Octoshape, the Normal CNN Live Adobe Flash Application would Not work in Transparent mode either as confirmed by you and this is due to them not using the standard port 80.
  To solve this problems means to look at the Packet Filter Logs to determine where it connects to and the port.
  
  3) I did try to whitelist domains ( I checked everything in the exception) such as *.cnn.com *.turner.com and *.hwcnet.com (This is what I see on HTTP Proxy Logs when I try to use the Live and it does not work.
  
  Thank You William.
  Cancel
  Vote Up 0 Vote Down
0 William Warren over 16 years ago

to reply to your list:

1. you are correct

2. again correct

3. This isn't a domain issue but a non-standard port use issue. You need to look at hte packet filter logs to see what ips are associated with the cnn flash player and then see what port(s) they are using.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down
- 0 Alvin over 16 years ago in reply to William Warren
  
  Just a update after weeks of try and error.
  
  1) If I choose to use Octoshape, I must use Standard Proxy on Astaro and configure all the Browsers in IE and Firewall to point to Astaro:8080 and this way Octoshape would use Astaro:8080.
  
  Somehow I did not managed to get Octoshape to work with Standard Proxy and manually specified across all my applications.
  
  Personally Standard Proxy is a pain for laptops when it is out of my home thus I am back to Transparent. [H]
  
  2) if I choose Not to use Octoshape, the Normal CNN Live Adobe Flash Application would Not work in Transparent mode either as confirmed by you and this is due to them not using the standard port 80.
  To solve this problems means to look at the Packet Filter Logs to determine where it connects to and the port.
  
  This P2P seriously generates a hell lot of logs and as of now, beyond my capability to know how to fix [:@]
  
  For Astaro, may want to look into this and configure the necessary settings in Astaro just like what you did for windowsupdate, adobe updates etc.
  
  Reason I think is CNN is simply a website which most people would want to use and if we deploy this in a corporate enviroment and that breaks people access to CNN etc, regardless of the reasons, to them it is just painful and the usual " before you replace the firewall it was fine" would apply .
  
  I do understand there is a balance between security and usability.
  The painful part this time is the exeptions etc is also not working.
  
  Yeah I know it is all on CNN side, so many domains involved, Tuner.etc