Cisco Webex and Decrypt & scan HTTPS issue

I suspect you will need to add an application policy to your firewall rule to allow the webex application to work.

Ian

I have tried with none and the default "Block high risk" application options in the firewall rule.

It made no difference. I also see no blocked logs in the application logs while connecting to a webex.

Hi,

what rule does the log viewer show as the PC tries to connect. Ad a filter to your logviewer of the IP address of your PC.

Ian

Not too sure what you mean.

I have a firewall rule with an ID of 5. In the logs it either says firewall rule 5 or 0.

The ones matching rule 0 normally say 

However I only see green when i am connecting the audio.

Firewall rule 0 is the default firewall block/drop all. Basically it means your firewall rule has some filtering that the software doesn't like or does not match.

Please post a expanded copy of your firewall rule.

Ian

I have another rule that I did some testing with that just allowed any service to the WAN. Did not make any difference.

This is rule 5 - If i turn off the decrypt and scan https it all works fine.

I should mention right below this I have the following rule. So anything rejected should show up as a match to rule #12

Hi,

you don't need this rule, the firewall already has one.

For testing setup a rule at the top of your list.

Source LAN ,your PC IP address, destination WAN, any

MASQ.

Log traffic

Setup logviewer to display this rule using a filter.

Setup a call and see what traffic is passed, then display the results here.

Ian

Hi,

you don't need this rule, the firewall already has one.

For testing setup a rule at the top of your list.

Source LAN ,your PC IP address, destination WAN, any

MASQ.

Log traffic

Setup logviewer to display this rule using a filter.

Setup a call and see what traffic is passed, then display the results here.

Ian

O thanks I think I might be missing this. UDP 9000

 Adding port 9000 made no difference.

Are you using this with MS office cloud365?

If you have an "any" in the protocol/port list you would not need to add any ports, everything that is required to setup the connection should be allowed out.

I also see there is a UDP 443 which is Google QUIC. What I am not seeing is any SIP setup which I would expect for a VoIP type call?

Ian

None of that.

I am going to https://www.webex.com/test-meeting.html and joining the meeting

Once I have joined I go to connect the audio for my PC speakers/mic. It will sit there and fail/stop.

So what does the log show during this setup?

There is a lot of traffic going to many sites.

Ian

It matches that log. If I turn off https scanning it will work straight away.

Rule 18, the one you asked me to make. I had HTTPS scanning off for the log. Soon as I turn https scanning on it doesn't work.

Hi,

the application does not appear to work with proxies which is what https scanning does.

Basically you will need a rule that allows webex to not use http/s scanning. Do your users always go the same sites for webex conferences, if so you can build a specific rule to all http and https to access those sites only. I don't think creating an exception will work because it is still going through the proxy just not being scanned.

Quote from Cisco webex site.

So maybe make a rule with destinations similar to the domains I have in my exception list you think?

Correct.

Ian

Hi,

I created a rule on top but I am still unable to start audio on Webex meetings. It works only if I disable https decrypt.

Any other suggestings?

Best regards,

Alessandro

when testing the rule you made there I used any port not just http/https