Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 24044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Goto Meeting/ Goto Training

JayMan

Starting to lose my mind with this one.

Added everything from here  http://support.citrixonline.com/en_us/meeting/all_files/G2M060010 To Web Protection/Filter Options/Websites as Trusted and into the Category as Web Meetings.

Created an Exceptionto allow access from selected AD group to Web Meetings Category

 

Try to load Goto Meeting and Training and get this.

2016-11-10 13:20:11.002 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _connect: connecting to the remote host [216.115.223.79, 68.64.13.78, 68.64.5.123(mcs37-1-isp1.atl.expertcity.com, mcs37-1-isp3.atl.expertcity.com, mcs37-1-isp2.atl.expertcity.com):80, 8200, 443]
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> comm::jinet::JJediSocketProviderCreator::createSocketProvider(): validated server [mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>), mcs37-1-isp3.atl.expertcity.com(68.64.13.78<initial>), mcs37-1-isp2.atl.expertcity.com(68.64.5.123<initial>)]
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(1)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp1.atl.expertcity.com"
2016-11-10 13:20:11.003 PST i: [g2mcomm] <mcast-agent> comm::jinet::JSpecProviderBroker::getJediProvider(): Matched the singleton connection spec provider
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(3)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp3.atl.expertcity.com"
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> JEDI connect: Start connect to mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>) (index=0)
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(2)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp2.atl.expertcity.com"
2016-11-10 13:20:11.004 PST i: [g2mcomm] <mcast-agent> JEDI connect: Creating SSL socket for SSL
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 MCastPeerController::} connect: successfully initiated connect to peer 3
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 EPSessionHelper::} _join: initiated join to server 1
2016-11-10 13:20:11.032 PST i: [g2mcomm] <mcast-agent> JEDI connect: Connected to address[0] mcs37-1-isp1.atl.expertcity.com(216.115.223.79<resolved>):443
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> (9000) "ECSecurityError::eBadCertificate"
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> Certificate verification using Local Certificate Store failed with error. Logging peer certificate....
2016-11-10 13:20:11.246 PST s: [g2mcomm] <mcast-agent> EmbCert-OSCert 0 1
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandle::} handshake: failed to complete client handshake [(2014) "ECError::eEnd": ## SLS , cconn.cpp:239]
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _disconnect: disconnecting from the remote host, current connectivity=unconnected and status=disconnected
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {DeviceStack[so(2)t]::} close: closing device stack [(2010) "ECError::eIOError"]
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandler::} push: error processing handshake [(2014) "ECError::eEnd"]

 

Now if I remove The Goto Meeting Category from my Exception which pretty much gives that AD group full access to the internet Goto Meeting and Training Opens instant. With the cert errors above is there another category I need to add.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Jay,

    Add the URLs in Web protection> Filtering option> Misc> Skip transparent mode (destination). Uncheck the "Allow HTTP/S traffic for listed hosts/nets"

    Hope that helps:)

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    sachingurung said:

    Hi Jay,

    Add the URLs in Web protection> Filtering option> Misc> Skip transparent mode (destination). Uncheck the "Allow HTTP/S traffic for listed hosts/nets"

    Hope that helps:)

     

     

    I did this and all the Goto Meeting URLs stopped working.

  • 0 in reply to JayMan

    Hi JayMan,

    Show us a picture of your configuration to allow GoTo application. Next, take SSH to UTM and login as root. Check http.log and afc.log, do you see anything dropping here.

    You can also refer #1 in the Rulz by Bob here. Provide us the logs, look into the logs and if you catch any GoTo URL is blocked via UTM add it in the allowed list.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0 in reply to JayMan

    Hi JayMan,

    Show us a picture of your configuration to allow GoTo application. Next, take SSH to UTM and login as root. Check http.log and afc.log, do you see anything dropping here.

    You can also refer #1 in the Rulz by Bob here. Provide us the logs, look into the logs and if you catch any GoTo URL is blocked via UTM add it in the allowed list.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • 0 in reply to sachingurung

     Ok so here is my websites and exceptions.    In websites I put in all the URL's Citrix provides and marked them as web meetings and then in exceptions I checked off everything for web meetings.

     

  • 0 in reply to JayMan

     

    Here is something else.  If I set it to only decrypt and scan some categories leaving out webmeetings.  Everything opens fine.  How is that different from putting in an exception to not check SSL.

     

  • 0 in reply to JayMan

    I'm sorry, JayMan, but this is just getting too long and too complex to follow.  Please post a summary of the current situation so that we can start from there instead of from the top.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok Summary:

     

    Goto Meeting and Goto Training Connection issues with Sophos UTM seems to be SSL based.

     

    Added in all the URL's and IP's Citrix provides for Firewall configs for all the Goto Apps into Websites (see picture below). Each website is retagged as Web meetings and trusted.

    Made an Web Exception based on AD group and the category Web Meetings (see next image) which includes bypassing everything but authentication so the AD groups work.

     

    When I try to load the Goto Meeting or Goto Training App it fails. Doesn't show any blocks in the UTM Logs just doesn't load.  Goto Meeting Logs show cert errors (from post #1  2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> Certificate verification using Local Certificate Store failed with error. Logging peer certificate....)

     

    If I tell the UTM not to decrypt the HTTPS as seen below the websites all load without issue.

     

    So why doesn't the SSL Check Exceptions  not do the same thing as the HTTPS Scan Settings?  Shouldn't checking SSL scanning when making an exception force it to allow HTTPS/SSL traffic to pass without issue the same way telling it not to decrypt does above?

     

    Hopefully this makes more sense.

  • 0 in reply to JayMan

    Thanks, JayMan!

    I suspect that all of the Citrix stuff uses HTTPS, so you should try unchecking 'SSL Scanning' in your Exception.

    In fact, I just checked and confirmed that I've used GoToMeeting behind a UTM with full decrypt and scan and no Exceptions for GoToMeeting or Citrix, so I'm a bit confused by your experience.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob here is something to really boggle your mind.

     

    If I make an exception that has no categories or anything but coming from a AD group it works without issues. As soon as I put in the categories the issue comes up almost as if some URL I am missing that isnt showing up is in some other category. BUT if I check off all the categories it still doesn't work.

  • 0 in reply to JayMan

    plz try the following

    visit gotomeeting support page

    1. Create SSL exceptions in web filtering for the Citrix domains.

    2. Create the 17 citrix ip blocks from website above and add them in 'Skip Transparent mode Desination Hosts /Nets'

    3. Create firewall to these 17 Citrix IP blocks , allowing ports http,https, 1853,8200. (need to apply MASQ on the target PC/devices )

    In essence, you want to tell the web filter, for citrix IP range, do not use web filtering engine , use firewall rule.

    I have been also struggling with more or less similar problems. I believe somehow the https scanning is breaking the gotomeeting packets.I wanted to apply a similar work around with SOCKS, just like with Skype but you cannot specify proxy settings for the app. Hope that this may be helpful.

Unfiltered HTML