Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1033 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS scanning and MSN messenger

RFCat_vk_01
Hi folks,
I built a new ASG and implemented https scanning which works fine for most sites except MSN messenger.

I can get it to the stage of logon, but not any further until I disable https scanning.

I have tried putting the live.login.com in the proxy bypass but I think I still need other urls I can't identify.

Basically according the the MS site to login Messenger uses ports 80, 443 and 1863. I have added 1863 to the allowed list but messenger doesn't seem to understand the proxy setup in IE. It is also using the socks proxy. 

I was able to stop the rolling ads at the bottom of the messenger window.

I would be grateful of any pointers.

Ian M

Changed the packet filter rule and the system works, with proxy in standard mode, no https scanning at this stage. Looks like a PF rule to allow specific ports for messenger otherwise it looks a bit like skype with the range of ports that it requires.


This thread was automatically locked due to age.
  • 0
    there is an kb which might help you (Certain IM applications may not function when the HTTPS proxy is activated.[:)]


    hovewer,  msn still doesn't work.I have to deselect Scan HTTPS (SSL) Traffic in order to work

    i got the following on the content filter log
    2009:03:15-14:36:14 Astaro httpproxy[4038]: [0xad901260] ssl_log_errors (ssl.c:41) C: 4038:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48
    2009:03:15-14:36:14 Astaro httpproxy[4038]: [0xad901260] ssl_log_errors (ssl.c:41) C: 4038:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:842: 


    I've tried setting up the ports to pf but nothing. 

    pf log :
     
    2009:03:15-11:40:19 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="65.54.239.140" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1826" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:25 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="65.54.239.140" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1826" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:25 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH" 
    2009:03:15-11:40:26 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="40" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK FIN" 
    2009:03:15-11:40:27 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH FIN" 
    2009:03:15-11:40:28 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="65.54.239.140" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1828" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:29 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH FIN" 
    2009:03:15-11:40:31 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="65.54.239.140" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1828" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:34 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH FIN" 
    2009:03:15-11:40:37 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="65.54.239.140" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1828" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:43 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH FIN" 
    2009:03:15-11:40:51 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1833" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:40:54 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1833" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:41:00 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1833" dstport="1863" tcpflags="SYN" 
    2009:03:15-11:41:03 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="46" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK PSH FIN" 
    2009:03:15-11:41:15 Astaro ulogd[3272]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" seq="0" initf="eth1" outitf="eth1" dstmac="00:b0:c2:02:e4:4f" srcmac="00:b0:c2:02:e3:c7" srcip="192.168.2.90" dstip="207.46.110.68" proto="6" length="40" tos="0x00" prec="0x00" ttl="126" srcport="1790" dstport="1863" tcpflags="ACK RST"


    indicating that 1836 port is not allowed(msn) however I have a rule that allows that traffic (i can't see that logs when https is disabled)

    Internal (Network)>>Instant Messaging (IM)>>any
  • 0 in reply to wingman
    OK, I gotta ask.  What is the solution?

    Thanks - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I installed the certification using mms under the root trusted and MS update and MSN messenger works. I am facing some issues with logmein at the moment in which I get SSL negotiation errors
  • 0 in reply to wingman
    I have still problems with MSN. 
    Have importet astaro cert to trustet root CA.
    What else is to do?