Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 35383 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebEx Bypass HTTPS Scanning on a Sophos UTM

RichardOsborn

Hi, I'm running Sophos UTM 9 with decrypt and scan HTTPS traffic enabled.

WebEx works fine when I turn off SSL Scanning for a machine, but I'm having trouble find all the URLs that WebEx uses; so that I can exclude them from the SSL Scanning.

Below are all the URLs that I have found within the Web Filtering logs.

^.*\.webex\.com
^.*\.webexconnect\.com
^.*\.ciscowebex\.com
https://62.109.231.15/ 
https://webex.tt.omtrdc.net/

I have created a rule to exclude these URLs from the SSL Scanning but WebEx still doesn't work. I can't see anymore URL present in the logs or see anything being block in the Firewall, Application Control or Intrusion Prevention System logs.

Have I missed something here? Has anyone else got WebEx working through a Sophos UTM with HTTPS Decrypt and Scan enabled?

Any help is appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    I have found a solution after using a packet sniffer on the WebEx application.

    I was able to obtain all the subnet that WebEx is using and exclude them from the SSL Scanning using the following expressions.   

    https:\/\/62\.109\.204\.[0-9]{1,3}
    https:\/\/62\.109\.224\.[0-9]{1,3}
    https:\/\/62\.109\.230\.[0-9]{1,3}
    https:\/\/62\.109\.231\.[0-9]{1,3}
    https:\/\/62\.109\.232\.[0-9]{1,3}
    https:\/\/62\.109\.234\.[0-9]{1,3}

Reply
  • 0

    I have found a solution after using a packet sniffer on the WebEx application.

    I was able to obtain all the subnet that WebEx is using and exclude them from the SSL Scanning using the following expressions.   

    https:\/\/62\.109\.204\.[0-9]{1,3}
    https:\/\/62\.109\.224\.[0-9]{1,3}
    https:\/\/62\.109\.230\.[0-9]{1,3}
    https:\/\/62\.109\.231\.[0-9]{1,3}
    https:\/\/62\.109\.232\.[0-9]{1,3}
    https:\/\/62\.109\.234\.[0-9]{1,3}

Children
  • 0 in reply to RichardOsborn

    Thank you for the clue about the cert problem and having to bypass the SSL proxy. 

    After implementing the above WebEx subnets, still did not work for me.  Notice in FW log my WebEx connection using different IP address ranges.

     

    (1) Found the following document on KB<dot>webex<dot>com<slash>WBX264        http://kb.webex.com/WBX264

     

    <begin>

    Solution:

    WebEx recommends for you to allow any of the following domains access through your Firewall, Web Proxy, or

    any other filtering device.  In addition, content should not be cached at any time.  

    • *.webex.com
    • *.ciscowebex.com
    • *.webexconnect.com
    • *.wbx2.com
    • *.ciscospark.com


    We also ask that you allow the following third-party domains:

    • *.localytics.com
    • *.rackcdn.com
    • *.clouddrive.com
    • *.crashlytics.com
    • *js-agent.newrelic.com
    • *bam.nr-data.net


    We also require certificate validation through a certificate revocation list.  This Certificate Revocation List is hosted by Quovadis and will require the following domain to be reachable:

    • *.quovadisglobal.com


    If your firewall or web filtering system does not allow wildcard filtering, you can open your firewall by IP address, however, this is not recommended.  Due to the expanding nature of the Cisco WebEx business, we maintain the right to add IP addresses at any time without notice.

    All WebEx hosted services are advertised under AS13445.  All traffic from that AS should be allowed.  Services hosted by other service providers are not included here.  This includes TSP partner systems or our content delivery partners.  If you are connecting to partner-hosted systems such as a Partner VoIP system, please contact the partner for the appropriate IP addresses and ports.

    List of IP addresses by region:

    AMER

    • 64.68.96.0/19 (CIDR) or 64.68.96.0 - 64.68.127.255 (net range)
    • 66.114.160.0/20 (CIDR) or 66.114.160.0 - 66.114.175.255 (net range)
    • 66.163.32.0/19 (CIDR) or 66.163.32.0 - 66.163.63.255 (net range)
    • 173.39.224.0/19 (CIDR) or 173.39.224.0 - 173.39.255.255 (net range)
    • 173.243.0.0/20 (CIDR) or 173.243.0.0 - 173.243.15.255 (net range)
    • 207.182.160.0/19 (CIDR) or 207.182.160.0 - 207.182.191.255 (net range)
    • 209.197.192.0/19 (CIDR) or 209.197.192.0 - 209.197.223.255 (net range)
    • 216.151.128.0/19 (CIDR) or 216.151.128.0 - 216.151.159.255 (net range)

    APAC

    • 114.29.192.0/19 (CIDR) or 114.29.192.0 - 114.29.223.255 (net range)
    • 210.4.192.0/20 (CIDR) or 210.4.192.0 - 210.4.207.255 (net range)
    • 69.26.176.0/20 (CIDR) or 69.26.176.0 - 69.26.191.255 (net range)

    EMEA

    • 62.109.192.0/18 (CIDR) or 62.109.192.0 - 62.109.255.255 (net range)
    • 69.26.160.0/20 (CIDR) or 69.26.160.0 - 69.26.175.255 (net range)

    WebEx does not support or recommend filtering IP addresses for a particular region.  Filtering by region can cause serious degradation to the in meeting experience up to and including the inability to join meetings entirely.  

    <end>

     

    (2) You can test the WebEx Client connection by browsing to WebEx /test-meeting.html :     webex.com/test-meeting.html

    Used this link to generate the IP Range Regular Expressions:   http://www.analyticsmarket.com/freetools/ipregex

     

    My first successful WebEx test connection was with using these IP Address ranges exceptions...

     

    (3) Clone the above exception and change IP address ranges to use WebEx domains as in WebEx document...

    Was able to setup a successful test WebEx connection.  Now working on doing a real WebEx test meeting.

    Bob G.

Unfiltered HTML