This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Goto Meeting/ Goto Training

Starting to lose my mind with this one.

Added everything from here  http://support.citrixonline.com/en_us/meeting/all_files/G2M060010 To Web Protection/Filter Options/Websites as Trusted and into the Category as Web Meetings.

Created an Exceptionto allow access from selected AD group to Web Meetings Category

 

Try to load Goto Meeting and Training and get this.

2016-11-10 13:20:11.002 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _connect: connecting to the remote host [216.115.223.79, 68.64.13.78, 68.64.5.123(mcs37-1-isp1.atl.expertcity.com, mcs37-1-isp3.atl.expertcity.com, mcs37-1-isp2.atl.expertcity.com):80, 8200, 443]
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> comm::jinet::JJediSocketProviderCreator::createSocketProvider(): validated server [mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>), mcs37-1-isp3.atl.expertcity.com(68.64.13.78<initial>), mcs37-1-isp2.atl.expertcity.com(68.64.5.123<initial>)]
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(1)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp1.atl.expertcity.com"
2016-11-10 13:20:11.003 PST i: [g2mcomm] <mcast-agent> comm::jinet::JSpecProviderBroker::getJediProvider(): Matched the singleton connection spec provider
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(3)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp3.atl.expertcity.com"
2016-11-10 13:20:11.003 PST d: [g2mcomm] <mcast-agent> JEDI connect: Start connect to mcs37-1-isp1.atl.expertcity.com(216.115.223.79<initial>) (index=0)
2016-11-10 13:20:11.003 PST i: [g2mcomm] <AddressResolver(2)(AddressResolveTask)(0)> DNS lookup for "mcs37-1-isp2.atl.expertcity.com"
2016-11-10 13:20:11.004 PST i: [g2mcomm] <mcast-agent> JEDI connect: Creating SSL socket for SSL
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 MCastPeerController::} connect: successfully initiated connect to peer 3
2016-11-10 13:20:11.005 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 EPSessionHelper::} _join: initiated join to server 1
2016-11-10 13:20:11.032 PST i: [g2mcomm] <mcast-agent> JEDI connect: Connected to address[0] mcs37-1-isp1.atl.expertcity.com(216.115.223.79<resolved>):443
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> (9000) "ECSecurityError::eBadCertificate"
2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> Certificate verification using Local Certificate Store failed with error. Logging peer certificate....
2016-11-10 13:20:11.246 PST s: [g2mcomm] <mcast-agent> EmbCert-OSCert 0 1
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandle::} handshake: failed to complete client handshake [(2014) "ECError::eEnd": ## SLS , cconn.cpp:239]
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {Session 6821593718158790153 mcast::MCSNeighbor[1]::} _disconnect: disconnecting from the remote host, current connectivity=unconnected and status=disconnected
2016-11-10 13:20:11.306 PST i: [g2mcomm] <mcast-agent> {DeviceStack[so(2)t]::} close: closing device stack [(2010) "ECError::eIOError"]
2016-11-10 13:20:11.306 PST E: [g2mcomm] <mcast-agent> {CryptoHandler::} push: error processing handshake [(2014) "ECError::eEnd"]

 

Now if I remove The Goto Meeting Category from my Exception which pretty much gives that AD group full access to the internet Goto Meeting and Training Opens instant. With the cert errors above is there another category I need to add.



This thread was automatically locked due to age.
  •  

    Here is something else.  If I set it to only decrypt and scan some categories leaving out webmeetings.  Everything opens fine.  How is that different from putting in an exception to not check SSL.

     

  • I'm sorry, JayMan, but this is just getting too long and too complex to follow.  Please post a summary of the current situation so that we can start from there instead of from the top.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok Summary:

     

    Goto Meeting and Goto Training Connection issues with Sophos UTM seems to be SSL based.

     

    Added in all the URL's and IP's Citrix provides for Firewall configs for all the Goto Apps into Websites (see picture below). Each website is retagged as Web meetings and trusted.

    Made an Web Exception based on AD group and the category Web Meetings (see next image) which includes bypassing everything but authentication so the AD groups work.

     

    When I try to load the Goto Meeting or Goto Training App it fails. Doesn't show any blocks in the UTM Logs just doesn't load.  Goto Meeting Logs show cert errors (from post #1  2016-11-10 13:20:11.246 PST i: [g2mcomm] <mcast-agent> Certificate verification using Local Certificate Store failed with error. Logging peer certificate....)

     

    If I tell the UTM not to decrypt the HTTPS as seen below the websites all load without issue.

     

    So why doesn't the SSL Check Exceptions  not do the same thing as the HTTPS Scan Settings?  Shouldn't checking SSL scanning when making an exception force it to allow HTTPS/SSL traffic to pass without issue the same way telling it not to decrypt does above?

     

    Hopefully this makes more sense.

  • Thanks, JayMan!

    I suspect that all of the Citrix stuff uses HTTPS, so you should try unchecking 'SSL Scanning' in your Exception.

    In fact, I just checked and confirmed that I've used GoToMeeting behind a UTM with full decrypt and scan and no Exceptions for GoToMeeting or Citrix, so I'm a bit confused by your experience.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob here is something to really boggle your mind.

     

    If I make an exception that has no categories or anything but coming from a AD group it works without issues. As soon as I put in the categories the issue comes up almost as if some URL I am missing that isnt showing up is in some other category. BUT if I check off all the categories it still doesn't work.

  • plz try the following

    visit gotomeeting support page

    1. Create SSL exceptions in web filtering for the Citrix domains.

    2. Create the 17 citrix ip blocks from website above and add them in 'Skip Transparent mode Desination Hosts /Nets'

    3. Create firewall to these 17 Citrix IP blocks , allowing ports http,https, 1853,8200. (need to apply MASQ on the target PC/devices )

    In essence, you want to tell the web filter, for citrix IP range, do not use web filtering engine , use firewall rule.

    I have been also struggling with more or less similar problems. I believe somehow the https scanning is breaking the gotomeeting packets.I wanted to apply a similar work around with SOCKS, just like with Skype but you cannot specify proxy settings for the app. Hope that this may be helpful.