Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 751 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Exclusion list Do not decrypt but Logmein show certificate from Sophos XGS firewall

Sop Hos3

Hello,

we have XGS 136 firewall with enabled SSL/TLS inspection
All workstations have Logmein installed.
Sophos Firewall Certificate is installed on workstation trusted certificate in local computer storeOn XFS firewall I have create Logmein Local TLS exclusion list for Logmein and also Web Exception (HTTPS decryption & HTTPS certificate validation)

When I disable SSL/TLS inspection I can connect to workstation with Logmein
When SSL/TLS inspection enabled I can NOT connect.


Local TLS exclusion list: logmein.com

URL pattern matches
^([A-Za-z0-9.-]*\.)?logmein\.com/
^[A-Za-z0-9.-]*\.[A-Za-z0-9.-]*\.logmein\.com/


screenshots:

No connection

LocalComputerCertificateTrusted

With disabled SSL/TLS inspection

How can I make correct exception for Logmein?

Example of Logmein connection URL
control.lmi-app20-05.logmein.com
control.lmi-app20-06.logmein.com
control.lmi-app20-07.logmein.com
control.lmi-app20-08.logmein.com
control.lmi-app03-10.logmein.com
control.lmi-app03-13.logmein.com
console-efuexvrqrs.lmi-app20-05.logmein.com
console-bybvznvduz.lmi-app20-07.logmein.com
console-agnyxrrvqk.lmi-app20-08.logmein.com

XGS LOG SSL-TLS-inspection-log



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Sop Hos3

    I would suggest to you to review your non use of the web proxy for a solution to logmien.

    Look at setting up a rule using proxy and logmein FQDN.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    why is Sophos still decrypting Logmein if it is disabled.

    Is my URL pattern wrong?

    Sop Hos3 said:
    URL pattern matches
    ^([A-Za-z0-9.-]*\.)?logmein\.com/
    ^[A-Za-z0-9.-]*\.[A-Za-z0-9.-]*\.logmein\.com/

    If I disable SSL/TLS inspection for ALL trafic the Logmein is working fine.

  • 0 in reply to Sop Hos3

    Hi,

    there is nothing wrong with your regex script. What you are experiencingg is that there are more websites used by logmein than you have covered. Please review application, web and ssl/tls inspection logs in log viewer using the IP address of the PC as the search criteria.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    there is also logmein.co and logmein.eu and that was just a quick check.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    yes, I know, the list of Logmein is almost Endless  ;)
    https://support.logmeininc.com/gotoassist-remote-support/help/whitelisting-and-firewall-configuration

    I have checked my Firewall Log SSL/TLS inspection and there are only the *.logmein.com Servernames

    My current list for Logmein Web protection exception

    URL pattern matches
    ^([A-Za-z0-9.-]*\.)?logmeinrescue-enterprise\.com/
    ^([A-Za-z0-9.-]*\.)?webservice\.logmein\.com/
    ^([A-Za-z0-9.-]*\.)?logmeinusercontent\.com/
    ^([A-Za-z0-9.-]*\.)?browse\.logmeinusercontent\.com/
    ^([A-Za-z0-9.-]*\.)?accounts\.logme\.in/
    ^([A-Za-z0-9.-]*\.)?logmeinrescue\.com/
    ^[A-Za-z0-9.-]*\.[A-Za-z0-9.-]*\.logmein\.com/
    ^([A-Za-z0-9.-]*\.)?logmeininc\.com/
    ^([A-Za-z0-9.-]*\.)?boldchat\.com/
    ^([A-Za-z0-9.-]*\.)?logmein\.com/
    ^([A-Za-z0-9.-]*\.)?internapcdn\.net/


    and my Logmein Exceptions IP
    64.74.0.0/19
    64.74.112.0/20
    64.95.128.0/21
    69.88.148.0/22
    95.172.68.0/22

  • 0 in reply to Sop Hos3

    Hi,

    thank you for the list, what I am suggesting are sites that are not logmein, like ms or apple site are not all called Ms or apple.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have checked again my complete Firewall Log SSL/TLS inspection for Error and found an IP address which is used by Logmein and was not yet on my exclusion list and added this
    158.120.16.0/20

    Hope this help my connection problems, will test it the next couple of days

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?