Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 17492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco Webex and Decrypt & scan HTTPS issue

SPY3

Hi

 

I am trying to get audio to connect within a Cisco webex meeting.

 

If i disabled Decrypt & scan HTTPS or add my IP to exceptions the audio connects fine.

I have exceptions for each domain listed on https://help.webex.com/en-us/WBX264/Network-Requirements

They are all added in the following format

Looking through the web filter logs I do not see any other domains while trying to connect to the audio. So it appears they are all covered.

 

Is there any other reason the XG keeps putting itself between the PC and Cisco when doing the audio connections? Not sure were else to look on the XG for what is triggering this.



This thread was automatically locked due to age.
Parents
  • 0

    I suspect you will need to add an application policy to your firewall rule to allow the webex application to work.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have tried with none and the default "Block high risk" application options in the firewall rule.

    It made no difference. I also see no blocked logs in the application logs while connecting to a webex.

     

  • 0 in reply to SPY3

    Hi,

    what rule does the log viewer show as the PC tries to connect. Ad a filter to your logviewer of the IP address of your PC.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Not too sure what you mean.

     

    I have a firewall rule with an ID of 5. In the logs it either says firewall rule 5 or 0.

     

    The ones matching rule 0 normally say 

    Could not associate packet to any connection.
     

     

     

    However I only see green when i am connecting the audio.

Reply
  • 0 in reply to rfcat_vk

    Not too sure what you mean.

     

    I have a firewall rule with an ID of 5. In the logs it either says firewall rule 5 or 0.

     

    The ones matching rule 0 normally say 

    Could not associate packet to any connection.
     

     

     

    However I only see green when i am connecting the audio.

Children
  • 0 in reply to SPY3

    Firewall rule 0 is the default firewall block/drop all. Basically it means your firewall rule has some filtering that the software doesn't like or does not match.

    Please post a expanded copy of your firewall rule.

     

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have another rule that I did some testing with that just allowed any service to the WAN. Did not make any difference.

    This is rule 5 - If i turn off the decrypt and scan https it all works fine.

     

  • 0 in reply to SPY3

    I should mention right below this I have the following rule. So anything rejected should show up as a match to rule #12

     

  • 0 in reply to SPY3

    Hi,

    you don't need this rule, the firewall already has one.

    For testing setup a rule at the top of your list.

    Source LAN ,your PC IP address, destination WAN, any

    MASQ.

    Log traffic

    Setup logviewer to display this rule using a filter.

    Setup a call and see what traffic is passed, then display the results here.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    O thanks I think I might be missing this. UDP 9000

     Adding port 9000 made no difference.

  • 0 in reply to SPY3

    Are you using this with MS office cloud365?

    If you have an "any" in the protocol/port list you would not need to add any ports, everything that is required to setup the connection should be allowed out.

    I also see there is a UDP 443 which is Google QUIC. What I am not seeing is any SIP setup which I would expect for a VoIP type call?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    None of that.

     

    I am going to https://www.webex.com/test-meeting.html and joining the meeting

    Once I have joined I go to connect the audio for my PC speakers/mic. It will sit there and fail/stop.

     

  • 0 in reply to SPY3

    So what does the log show during this setup?

    There is a lot of traffic going to many sites.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    It matches that log. If I turn off https scanning it will work straight away.

    Rule 18, the one you asked me to make. I had HTTPS scanning off for the log. Soon as I turn https scanning on it doesn't work.

  • +1 in reply to SPY3

    Hi,

    the application does not appear to work with proxies which is what https scanning does.

    Basically you will need a rule that allows webex to not use http/s scanning. Do your users always go the same sites for webex conferences, if so you can build a specific rule to all http and https to access those sites only. I don't think creating an exception will work because it is still going through the proxy just not being scanned.

     

    Quote from Cisco webex site.

    "Architecture

    Firewall Friendly

    Work through most firewalls using standard HTTP and HTTPS ports."

     

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner