Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 24034 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Goto Meeting/ Goto Training

JayMan

Starting to lose my mind with this one.

Added everything from here  http://support.citrixonline.com/en_us/meeting/all_files/G2M060010 To Web Protection/Filter Options/Websites as Trusted and into the Category as Web Meetings.

Created an Exceptionto allow access from selected AD group to Web Meetings Category

 

Try to load Goto Meeting and Training and get this.

2016-11-10 13:20:11.002 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _connect: connecting to the remote host [216.115.223.79, 68.64.13.78, 68.64.5.123(mcs37-1-isp1.atl.expertcity.com, mcs37-1-isp3.atl.expertcity.com, mcs37-1-isp2.atl.expertcity.com):80, 8200, 443]
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> comm::jinet::JJediSocketProviderCreator::createSocketProvider(): validated server [mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>), mcs37-1-isp3.atl.expertcity.com(68.64.13.78<initial>), mcs37-1-isp2.atl.expertcity.com(68.64.5.123<initial>)]
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(1)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp1.atl.expertcity.com"
2016-11-10 13:20:11.003 PST i: [g2mcomm] <mcast-agent> comm::jinet::JSpecProviderBroker::getJediProvider(): Matched the singleton connection spec provider
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(3)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp3.atl.expertcity.com"
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> JEDI connect: Start connect to mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>) (index=0)
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(2)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp2.atl.expertcity.com"
2016-11-10 13:20:11.004 PST i: [g2mcomm] <mcast-agent> JEDI connect: Creating SSL socket for SSL
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 MCastPeerController::} connect: successfully initiated connect to peer 3
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 EPSessionHelper::} _join: initiated join to server 1
2016-11-10 13:20:11.032 PST i: [g2mcomm] <mcast-agent> JEDI connect: Connected to address[0] mcs37-1-isp1.atl.expertcity.com(216.115.223.79<resolved>):443
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> (9000) "ECSecurityError::eBadCertificate"
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> Certificate verification using Local Certificate Store failed with error. Logging peer certificate....
2016-11-10 13:20:11.246 PST s: [g2mcomm] <mcast-agent> EmbCert-OSCert 0 1
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandle::} handshake: failed to complete client handshake [(2014) "ECError::eEnd": ## SLS , cconn.cpp:239]
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _disconnect: disconnecting from the remote host, current connectivity=unconnected and status=disconnected
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {DeviceStack[so(2)t]::} close: closing device stack [(2010) "ECError::eIOError"]
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandler::} push: error processing handshake [(2014) "ECError::eEnd"]

 

Now if I remove The Goto Meeting Category from my Exception which pretty much gives that AD group full access to the internet Goto Meeting and Training Opens instant. With the cert errors above is there another category I need to add.



This thread was automatically locked due to age.
  • 0

    I don't see any blocks happening in the Web Filtering logs.

  • 0

    Hi Jay,

    Add the URLs in Web protection> Filtering option> Misc> Skip transparent mode (destination). Uncheck the "Allow HTTP/S traffic for listed hosts/nets"

    Hope that helps:)

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    But this doesn't answer my question.

     

    If I make an exception and skip all checks for 1 AD group it works. As soon as I say coming from this AD and going to these categories then it stops working.

    Now I put all the IPs/URLs into 1 Category but still doesn't work.   Is there a category that deals with SSL Certs and websites I should allow since it is cert errors?

  • 0

    Anyone else been able to get  Goto Meeting working without bypassing or completely turning off filtering which kinda defeats the purpose of it.

  • 0 in reply to JayMan

    I don't understand why the mcast-agent would be involved in this.  Do you have Multicast Routing configured?

    As for trusting a direct connection with GoToMeeting by skipping the Proxy for it, I would think the risk would be minimal.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    It's odd Goto Meeting works. Goto Training doesn't want to connect but it's the same software.  I tried the Citrix support and they pointed me back to Sophos.

     

     

    So on the Bypass field I would enter all the IP's and URLs do I leave the checkbox at the bottom checked or unchecked.

  • 0 in reply to sachingurung

    sachingurung said:

    Hi Jay,

    Add the URLs in Web protection> Filtering option> Misc> Skip transparent mode (destination). Uncheck the "Allow HTTP/S traffic for listed hosts/nets"

    Hope that helps:)

     

     

    I did this and all the Goto Meeting URLs stopped working.

  • 0 in reply to BAlfson

    BAlfson said:

    I don't understand why the mcast-agent would be involved in this.  Do you have Multicast Routing configured?

    As for trusting a direct connection with GoToMeeting by skipping the Proxy for it, I would think the risk would be minimal.

    Cheers - Bob

     

     

    Hi Bob,

     

    I put all the URL's in the skiplist and left the checkbox on and couldn't get to any of the websites then.

  • 0 in reply to JayMan

    Hi JayMan,

    Show us a picture of your configuration to allow GoTo application. Next, take SSH to UTM and login as root. Check http.log and afc.log, do you see anything dropping here.

    You can also refer #1 in the Rulz by Bob here. Provide us the logs, look into the logs and if you catch any GoTo URL is blocked via UTM add it in the allowed list.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

     Ok so here is my websites and exceptions.    In websites I put in all the URL's Citrix provides and marked them as web meetings and then in exceptions I checked off everything for web meetings.

     

Unfiltered HTML