This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Arlo Netgear Cameras

I use Sophos UTM 9  and alongside this I use Arlo Netgear cameras.

Netgear say they only need port 80 and 443 open, and all is fine when Web Filtering Standard Option is turned on.  As soon as you switch this to Transparent mode, the playback of Live Streaming (which used Flowplayer and Amazon services) stops working.   You can use all other functions, just live playback fails with the onscreen error message that the cameras have gone offline.

I have tried setting up an exception as follows

^https?://[A-Za-z0-9.-]+\.arlo.netgear\.com
^https?://[A-Za-z0-9.-]+\.arlos3-prod-z1.s3.amazonaws\.com
^https?://[A-Za-z0-9.-]+\.www.w3.org
^https?://[A-Za-z0-9.-]+\.angularjs.org
^https?://[A-Za-z0-9.-]+\.www.google-analytics.com

and also put arlo.netgear\.com and subdomains as a trusted site but nothing seems to work. 

The weblog only shows the following

2016:01:05-22:29:27 utm httpproxy[5262]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.22" dstip="54.231.130.233" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="203096" request="0xdf99a800" url="arlos3-prod-z1.s3.amazonaws.com/" referer="" error="" authtime="0" dnstime="19444" cattime="0" avscantime="0" fullreqtime="13845978" device="0" auth="0" ua="" exceptions="content,url" application="amazonws" app-id="800"

Any help appreciated



This thread was automatically locked due to age.
Parents Reply Children
  • just re-resd this post.

    In the intervening tume, I learned that "input-output error" is a very poor way of saying that UTM could not negotiate an acceptsble ciphersuite.   It should only occur when HTTPS inspection is enabled, because that is the only time that UTM is negootuating the ciphersuite.  I started seeinv it afterUTM dropped support for TLS 1.0, in response to threat research announcements.   Workarounds are to bypass https inspection for that source address or change profile to yranspsrent mode.

    Late correction:. It is https inspection that triggers negotistion, not proxy mode.

  • Assuming that the base station is trusted, create your exceptions based on source address, rather than destinstion address.   This will limit your risk by changing nothing for other source devices.